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Abstract 



Quantum ínformation theory is an area of physics which studies both fun- 
damental and applied issues in quantum mechanics from an information- 
theoretic viewpoint. The underlying techniques are, however, often re- 
stricted to the analysis of systems which satisfy a certain índependence con- 
dítion. For example, it is assumed that an experiment can be repeated 
independently many times or that a large physical system consists of many 
virtually independent parts. Unfortunately, such assumptions are not al- 
ways justified. This is particularly the case for practical applications — e.g., 
in (quantum) cryptography — where parts of a system might have an arbi- 
trary and unknown behavior. 

We propose an approach which allows to study general physical systems 
for which the above mentioned Índependence condition does not necessarily 
hold. It is based on an extension of various information-theoretic notions. 
For example, we introduce new uncertainty measures, called smooth min- 
and max-entropy, which are generalizations of the von Neumann entropy. 
Furthermore, we develop a quantum version of de Finetti's representation 
theorem, as described below. 

Consider a physical system consisting of n parts. These might, for in- 
stance, be the outcomes of n runs of a physical experiment. Moreover, 
assume that the joint state of this n-partite system can be extended to an 
(n + fc)-partite state which is symmetric under permutations of its parts 
(for some k S> 1). The de Finetti representation theorem then says that 
the original n-partite state is, in a certain sense, close to a mixture of prod- 
uct states. índependence thus follows (approximatively) from a symmetry 
condition. This symmetry condition can easily be met in many natural situ- 
ations. For example, it holds for the joint state of n parts which are choscn 
at random from an arbitrary (n + /c)-partite system. 

As an application of these techniques, we prové the security of quantum 
key dístributíon (QKD), i.e., secret key agreement by communication over 
a quantum channel. In particular, we show that, in order to analyze QKD 
protocols, it is generally sufficient to consider so-called collective attacks, 
where the adversary is restricted to applying the same operation to each 
particle sent over the quantum channel separately. The proof is genèric and 
thus applies to known protocols such as BB84 and B92 (where better bounds 
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on the secret-key rate and on the the maximum tolerated noise level of the 
quantum channel are obtained) as well as to continuous variable schemes 
(where no full security proof has been known). Furthermore, the security 
holds with respect to a strong so-called universally composable definition. 
This implies that the keys generated by a QKD protocol can safely be used 
in any application, e.g., for one-time pad encryption — which, remarkably, is 
not the case for most of the Standard definitions. 
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Chapter 1 

Introduction 



1.1 Motivation 

What is needed to establish a secret key between two spatially separated 
parties? Clearly, this question is of immediate interest for practical cryp- 
tographic applications such as secure message transmission. 1 More impor- 
tantly, however, it is related to fundamental problems in (classical and quan- 
tum) information theory. Is information physical? Is classical information 
distinct from quantum information? In fact, it turns out that the possibility 
of secret key agreement (over insecure channels) strongly depends on the 
physical properties of information and that there is indeed a fundamental 
difference between classical and quantum information. 

In this thesis, we address several bàsic question of quantum information 
theory: What does secrecy mean in a quantum world? ( Chapter [2J) How can 
knowledge and uncertainty be quantified? (Chapter |3J) What is the role of 
symmetry? (Chapter |3J Can any type of randomness be transformed into 
uniform randomness? (Chapter [SJ) As we shall see, the answers to these 
qüestions allow us to treat the problem of secret key agreement in a very 
natural way (ChaptersElandEI). 

1.2 Quantum key distribution: general facts 

Cryptographic setting 

We consider a setting where two distant parties, traditionally called Alice 
and Bob, want to establish a common secret key, i.e., a string of random 
bits which is unknown to an adversary, Eve. Throughout this thesis, we 
focus on ínformatíon-theoretic security, which is actually the strongest rea- 

x For example, using one-time pad encryption )Ver26j . the problem of secretly exchang- 
ing £ message bits reduces to the problem of distributing a secret key consisting of £ 
bits. 
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sonable notion of security. 2 It guarantees that an adversary does not get 
any information correlated to the key, except with negligible probability. 

For the following, we assume that Alice and Bob already have at hand 
some means to exchange classical messages in an authentic way. 3 In fact, 
only relatively weak resources are needed to turn a completely insecure com- 
munication channel into an authentic channel. For example, Alice and Bob 
might invoke an authentication protocol (see, e.g., |Sti9H GN93 ) for which 
they need a short 4 initial key. Actually, as shown in |RW03l IRW04| , it is 
even suficient for Alice and Bob to start with only weakly correlated and 
partially secret information (instead of a short secret key). 

Key agreement by quantum communication 

Under the sole assumption that Alice and Bob are connected by a classical 
authentic communication channel, secret communication — and thus also the 
generation of a secret key — is impossible Sha49, Mau93 . This changes 
dramatically when quantum mechanics comes into the game. Bennett and 
Brassard BB84 (see also Wie83 ) were the first to propose a quantum key 
distríbution (QKD) scheme which uses communication over a (completely 
insecure) quantum channel (in addition to the classical authentic channel). 
The scheme is commonly known as the BB84 protocol. 

Quantum key distribution is generally based on the impossibility to ob- 
serve a quantum mechanical system without changing its state. An adver- 
sary trying to wiretap the quantum communication between Alice and Bob 
would thus inevitably leave traces which can be detected. A quantum key 
distribution protocol thus achieves the following type of security: As long as 
the adversary is passive, it generates an (arbitrarily long) secret key. On the 
other hand, if the adversary tampers with the quantum channel, the pro- 
tocol recognizes the attack and aborts the computation of the key. 5 (Note 
that this is actually the best one can hope for: As the quantum channel 
is completely insecure, an adversary might always interrupt the quantum 
communication between Alice and Bob, in which case it is impossible to 
gener ate a secret key.) 

2 An example of a weaker level of security is computational security, where one only 
requires that it is difficult (i.e., time-consuming, but not impossible) for an adversary to 
compute information on the key. 

3 Authentic means that, upon receiving a message, Bob can verify whether the message 
was indeed sent by Alice, and vice-versa. 

4 The length of the key only grows logarithmically in the length of the message to be 
authenticated. 

J More precisely, it is guaranteed that the protocol does not abort as long as the ad- 
versary is passive (this is called robustness). Moreover, for any attack on the quantum 
channel, the probability that the protocol does not abort and the adversary gets informa- 
tion on the generated key is negligible (see Section ffí.l.Hl for details). 
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An example: the BB84 protocol 

To illustrate the main principle of quantum key distribution, let us have a 
closer look at the BB84 protocol. It uses an encoding of classical bits in 
qubits, i.e., two-level quantum systems 6 . The encoding is with respect to 
one of two different orthogonal bases, called the rectilínear and the diagonal 
basis. 7 These two bases are mutually unbiased, that is, a measurement in 
one of the bases reveals no information on a bit encoded with respect to the 
other basis. 

In the first step of the protocol, Alice chooses N random bits X\, . . . , Xjy, 
encodes each of these bits into qubits using at random 8 either the rectilinear 
or the diagonal basis, and transmits them to Bob (using the quantum chan- 
nel). Bob measures each of the qubits he receives with respect to — a random 
choice of — either the rectilinear or the diagonal basis to obtain classical bits 
Yi. The pair of classical bitstrings X = (Ai, . . . , Xn) and Y = (Yï, . . . , Y/v) 
held by Alice and Bob after this step is called the raw key pair. 

The remaining part of the protocol is purely classical (in particular, 
Alice and Bob only communicate classically) . First, Alice and Bob apply a 
síftíng step, where they announce their choices of bases used for the encoding 
and the measurement, respectively. They discard all bits of their raw key 
for which the encoding and measurement bases are not compatible. Then 
Alice and Bob proceed with a parameter estimation step. They compare 
some (small) randomly chosen set of bits of their raw key in order to get a 
guess for the error rate, i.e., the fraction of positions i in which X{ and Yi 
disagree. If the error rate is too large — which might indicate the presence 
of an adversary — Alice and Bob abort the protocol. 

Let X' and Y 1 be the remaining parts of the raw keys (i.e., the bits of 
X and Y that have neither been discarded in the sifting step nor used for 
parameter estimation). These strings are now used for the actual compu- 
tation of the final key. In an information reconcilíation step, Alice sends 
certain error correcting information on X' to Bob. 9 This, together with Y', 
allows him to compute a guess for X'. (Note that, because of the parameter 
estimation step, it is guaranteed that X' and Y' only differ in a limited 
number of positions.) In the final step of the protocol, called privacy ampli- 
fication, Alice and Bob use two-universal hashing 10 to turn the (generally 
only partially secret) string X' into a shorter but secure key. 

6 For example, the classical bits might be encoded into the spin orientation of partides. 
7 See Section f7.2.1l for a definition. 

8 In the original proposal of the BB84 protocol, Alice and Bob choose the two bases 
with equal probabilities. However, as pointed out in LCA05:, the efficiency of the protocol 
is increased if they select one of the two bases with probability almost one. In this case, 
the choices of Alice and Bob will coincide with high probability, which means that the 
number of bits to be discarded in the sifting step is small. 

9 The information reconciliation step might also be interactive. 
10 See Section f5.4l for a definition of two-universality. 
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The security of the BB84 protocol is based on the fact that an adversary, 
ignorant of the actual encoding bases used by Alice, cannot gain information 
about the encoded bits without disturbing the qubits sent over the quantum 
channel. If the disturbance is too large, Alice and Bob will observe a high 
error rate and abort the protocol in the parameter estimation step. On the 
other hand, if the disturbance is below a certain threshold, then the strings 
X' and Y' held by Alice and Bob are sufficiently correlated and secret in 
order to distill a secret key 

In order to prové security, one thus needs to quantify the amount of 
information that an adversary has on the raw key, given the disturbance 
measured by Alice and Bob. It is a main goal of this thesis to develop the 
information-theoretic techniques which are needed for this analysis. (See 
also Section ri.6.3l for a sketch of the security proof.) 

Alternative protocols 

Since the invention of quantum cryptography, a considerable effort has been 
taken to get a better understanding of its theoretical foundations as well 
as to make it more practical. In the course of this research, a large variety 
of alternative QKD protocols has been proposed. Some of them are very 
efficient with respect to the secret-key rate, i.e., the number of key bits 
generated per channel use |Bru981 IBPG99) . Others are designed to cope 
with high channel noise or noise in the detector, which makes them more 
suitable for practical implementations SARG04 . 

The structure of these protocols is mostly very similar to the BB84 
protocol described above. For example, the six-state protocol proposed 
in |Bru98| lBPG99| uses three different bases for the encoding (i.e., six dif- 
ferent states), but otherwise is identical to the BB84 protocol. On the other 
hand, the B92 protocol Ben92 is based on an encoding with respect to only 
two non-orthogonal states. 

QKD over noisy channels 

Any realistic quantum channel is subject to intrinsic noise. Alice and Bob 
will thus observe errors even if the adversary is passive. However, as these 
errors are not distinguishable from errors caused by an attack, the distribu- 
tion of a secret key can only be successful if the noise level of the channel is 
sufficiently low. 

As an example, consider the BB84 protocol described above. In the 
parameter estimation step, Alice and Bob compute a guess for the error 
rate and abort the protocol if it exceeds a certain threshold. Hence, the 
scheme only generates a key if the noise level of the channel is below this 
threshold. 
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The amount of noise tolerated by a QKD scheme is an important mea- 
sure for its practicability. In fact, in an implementation, the level of noise 
inevitably depends on the distance between Alice and Bob (i.e., the length of 
the optical fiber, for an implementation based on photons). To characterize 
the efficiency of QKD schemes, one thus often considers the relation between 
the channel noise and the secret-key rate (see plots in Chapter[7J). Typically, 
the secret-key rate decreases with increasing noise level and becomes zero 
as soon as the noise reaches a certain bound, called the maximum tolerated 
channel noise. 

Quantum key distribution and distillation 

Assume that Alice and Bob have access to some correlated quantum systems 
(e.g., predistributed pairs of entangled partides). A quantum key distillation 
protocol allows them to transform this correlation into a common secret key, 
while using only classical authentic communication. 

As explained below, a quantum key distribution (QKD) protocol can 
generally be transformed into a key distillation protocol in such a way that 
security of the latter implies security of the first. This is very convenient for 
security proofs, as key distillation only involves quantum states (instead of 
quantum channels) which are easier to analyze (see !Eke911 IBBM92p . 

The connection between key distillation and key distribution protocols 
is based on the following observation: Let X be a classical value chosen 
according to a distribution Px and let \(p x ) be a quantum encoding of X. 
This situation could now equivalently be obtained by the following two-step 
process: (i) prepare a bipartite quantum state |^) := \/ Px{x)\x) <8> \4> x ), 
where {Ix)}^ is some orthonormal basis of the first subsystem; (ii) measure 
the first part of \^) with respect to the basis In fact, it is easy 

to verify that the outcome X is distributed according to Px and that the 
remaining quantum system contains the correct encoding of X. 

To illustrate how this observation applies to QKD, consider a proto- 
col where Alice uses the quantum channel to transmit an encoding \4> x ) of 
some randomly chosen value X to Bob (as, e.g., in the first step of the 
BB84 protocol described above). According to the above discussion, this 
can equivalently be achieved as follows: 11 First, Alice locally prepares the 
bipartite state l^) defined above, keeps the first half of it, and sends the 
second half over the quantum channel to Bob. Second, Alice measures the 
quantum system she kept to get the classical value X. (Such a protocol is 
sometimes called an entanglement-based scheme.) 

Note that, after the use of the quantum channel — but before the mea- 
surement — Alice and Bob share some (generally entangled) quantum state. 

11 More generally, any arbitrary protocol step can be replaced by a coherent quantum 
operation followed by some measurement. 
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The remaining part of the key distribution protocol is thus actually a quan- 
tum key distillation protocol. Hence, if this key distillation protocol is secure 
(for any predistributed entanglement) then the original quantum key distri- 
bution protocol is secure (for any arbitrary attack of Eve). 

1.3 Contributions 

This thesis makes two different types of contributions. First, we introduce 
various concepts and prové results which are of general interest in quantum 
information theory and cryptography. 12 These contributions are summa- 
rized in Section 11.3.11 below. Second, we apply our techniques to QKD in 
order to derive a general security criterion. Some aspects and implications 
of this result are discussed in Section fl.3.21 

1.3.1 New notions in quantum information theory 

Smooth min- and max-entropies as generalizations of von Neu- 
mann entropy 

The von Neumann entropy, as a measure for the uncertainty on the state of 
a quantum system, plays an important role in quantum information theory. 
This is mainly due to the fact that it characterizes fundamental information- 
theoretic tasks such as randomness extractíon or data compression. For 
example, the von Neumann entropy of a source emitting quantum states can 
be interpreted as the minimum space needed to encode these states such that 
they can later be reconstructed with arbitrarily small error. However, any 
such interpretation of the von Neumann entropy only holds asymptotically 
in situations where a certain underlying experiment is repeated many times 
independently. For the above example, this means that the encoding is over 
many (sufficiently independent) outputs of the source. 

In the context of cryptography, where an adversary might corrupt parts 
of a system in an arbitrary way, this independence can often not be guar- 
anteed. The von Neumann entropy is thus usually not an appropriate mea- 
sure — e.g., to quantify the uncertainty of an adversary — unless we put some 
severe restrictions on her capabilities (e.g., that her attack consists of many 
independent repetitions of the same action). 

In this thesis, we introduce two entropy measures, called smooth mín- 
and max-entropy, which can be seen as generalizations of the von Neu- 
mann entropy. While smooth min-entropy quantifies the amount of uniform 

12 For example, our result on privacy amplifïcation against quantum adversàries is not 
only useful to prové the security of QKD. It has also found interesting applications within 
other fields of cryptography, as for instance in the context of multi-party computation 
(see, e.g., |DFij S05 for a result on bit commitment). 
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randomness that can be extracted from a quantum system, the smooth max- 
entropy corresponds to the length of an optimal encoding of the system's 
state. Unlike the von Neumann entropy, however, this characterization ap- 
plies to arbitrary situations — including those for which there is no underlying 
independently repeated experiment. 

In the special case of many independent repetítíons (that is, if the sys- 
tem's state is described by a density operator which has product form), 
smooth min- and max-entropy both reduce to the von Neumann entropy, 
as expected. Moreover, smooth min- and max-entropy inherit most of the 
properties known from the von Neumann entropy, as for example the strong 
subadditivity. (We refer to Section fi .51 for a summary of these results.) On 
the other hand, because the von Neumann entropy is a special case of smooth 
min- and max-entropy, its properties follow directly from the corresponding 
properties of the smooth min- or max-entropy. Interestingly, some of the 
proofs are surprisingly easy in this general case. For example, the strong 
subadditivity of the smooth min-entropy follows by a very short argument 
(cf. Lemma 13.1.71 and Lemma 13.2.7(1 . Note that this immediately gives a 
simple proof for the strong subadditivity of the von Neumann entropy. 

De Finetti representation theorem for fïnite symmetric quantum 
states 

An n-partite density operator p n is said to be N -exchangeable, for N > n, 
if it is the partial state (i.e., p n = trfc(pjv)) of an A-partite density operator 
Pn which is invariant under permutations of the subsystems. Moreover, p n 
is infinitely- exchangeable if it is A-exchangeable for all N > n. The quantum 
de Finetti representation theorem |HM76j (which is the quantum version of 
a theorem in probability theory named after its inventor Bruno de Finetti 13 ) 
makes a fundamental statement on such symmetric operators. 14 Namely, it 
says that any infinitely-exchangeable operator p n can be written as a convex 
combination (i.e., a mixture) of product operators, 



We generalize the quantum de Finetti representation theorem for in- 
finitely exchangeable operators to the finite case. 15 More precisely, we 
show that the above formula still holds approximatively if p n is only N- 
exchangeable for, some finite N which is sufficiently larger than n. (We 
refer to Section \l . 51 below for a more detailed description of this statement.) 

13 See MC93 for a collection of de Finetti's original papers. 

14 See ICFS02| for a nice proof of the quantum de Finetti theorem based on its classical 
analogue. 

15 The result presented in this thesis is different from the one proposed in a previous 
paper |KR05| (see Section U~ïïl for more details). 
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The de Finetti representation theorem turns out to be a useful tool in 
quantum information theory. In fact, symmetric (and exchangeable) states 
play an important role in many applications. For example, the operator 
describing the joint state of n partides selected at random from a set of N 
partides is iV-exchangeable. Hence, according to our finite version of the de 
Finetti representation theorem, the analysis of such states can be reduced to 
the analysis of product states — which is often much easier than the general 
case. Following this idea, we will use the finite de Finetti representation 
theorem to argue that, for proving the security of a QKD scheme against 
arbitrary attacks, it suffices to consider attacks that have a certain product 
structure (so-called collective attacks, cf. Section lï..3.2JI . 

Universal security of keys in a quantum world 

In quantum cryptography, the security of a secret key S is typically defined 
with respect to the classical information W that an adversary might obtain 
when measuring her quantum system Tíg. More precisely, S is said to be 
secure if, for any measurement of the adversary 's system He, the resulting 
outcome W gives virtually no information on S. Although this definition 
looks quite strong, we shall see that it is not sufficient for many applications, 
e.g., if the key S is used for one-time pad encryption (see Section • 

We propose a security definition which overcomes this problem. Roughly 
speaking, we say that a key S is e-secure if, except with probability e, 
S is equal to a perfect key which is uniformly distributed and completely 
independent of the adversary's quantum system. In particular, our security 
definition is universal in the sense that an e-secure key can safely be used 
in any application, except with probability e. 16 

Security of privacy amplification against quantum adversàries 

Let X be a classical random variable on which an adversary has some par- 
tial information. Privacy amplification is the art of transforming this par- 
tially secure X into a fully secure key S, and has been studied extensively 
for the case where the adversary's information is purely classical. It has 
been shown [BBE88 IILL89| [BBCM95] that it is always possible to gener- 
ate an £-bit key S which is secure against any adversary whose uncertainty 
on X — measured in terms of the collision entropy 17 — is sufficiently larger 
than i. 

We generalize this classical privacy amplification theorem to include 
quantum adversàries who might hold information on X encoded in the state 

16 Hence, our security definition fits into general frameworks concerned with the uni- 
versal security of quantum protocols, as proposed by Ben-Or and Mayers [BOM041 and 
Unruh |Unr04| (see Section 1231 for more details). 

17 The collision entropy, also called Renyi entropy of order two, of a probability distri- 
bution Px is the negative binary logarithm of its collision probability ~^2 x Px(x) 2 . 
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of a quantum system. We show that, similar to the classical result, X can 
be transformed into a key of length í which is secure 18 if the uncertainty 
of the adversary on X — this time measured in terms of the smooth min- 
entropy — is at least roughly i. Because the smooth min-entropy is generally 
larger than the collision entropy, this also implies the above classical result. 

Our privacy amplification theorem is optimal with respect to the maxi- 
mum length í of the extractable secret key — i.e., smooth min-entropy com- 
pletely characterizes the number of secret key bits that can be generated 
from a partially secret string (up to some small constant). This also im- 
proves our previous results LKMR05;, RKOó which are only optimal in cer- 
tain special cases. 19 



1.3.2 Properties and implications of the security result 

We provide a simple and general 20 criterion for the security of QKD against 
any attack allowed by the laws of quantum physics. The following is a 
summary of the most important properties and consequences of this result. 
(For a more detailed description of the security criterion and a proof sketch, 
we refer to Section fl .61 below. ) 



Coherent attacks are not stronger than collective attacks 

An adversary might in principle apply an arbitrary operation on the quan- 
tum states exchanged between Alice and Bob. In the case of the most gen- 
eral, so-called coherent attacks, this operation could involve all subsystems 
(partides) simultaneously, which makes it (seemingly) difficult to analyze. 
One thus often considers a restricted class of attacks, called collective at- 
tacks BM97b ( BM97a , where the adversary is assumed to apply the same 
transformation to each of the subsystems that is sent over the channel. 21 A 
natural and long-standing open question in this context is whether security 
against collective attacks implies full security (see, e.g., B BB + 02] b Our 



18 We prové security according to the strong definition proposed in Section r2.2l — i.e., the 
security is universal. 

19 The result proven in IRK05| is optimal if the density operator describing the initial 
string together with the adversary's quantum information has product form. 

20 The security criterion is general in the sense that it applies to virtually all known 
protocols. Note that this stands in contrast to previous security proofs, which are mostly 
designed for specifïc protocols. 

21 An even more restricted type of attacks are the so-called individual attacks where, 
additionally, the adversary is supposed to apply some fïxed measurement operation to 
each of the subsystems sent through the channel. In particular, this measurement cannot 
depend on the classical information that Alice and Bob exchange for error correction and 
privacy amplification. As shown in BMS96 , such individual attacks are generally weaker 
than collective attacks. Hence, security against individual attacks does not imply full 
security. 
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result immediately answers this question in the positive, that is, coherent 
attacks cannot be more powerful than collective attacks. 22 

Security of practical implementations 

Because of technical limitations, practical implementations of QKD are sub- 
ject to many imperfections. In addition to noisy channels, these might 
include faulty sources 23 or detector losses. Because of its generality, our 
security criterion can be used for the analysis of such practical settings. 24 

Keys generated by QKD can safely be used in applications 

The security result holds with respect to a so-called universal security defini- 
tion. This guarantees that the key generated by a QKD protocol can safely 
be used in applications such as for one-time pad encryption. (As mentioned 
above, this is not necessarily the case for many of the Standard security 
definitions.) 

Improved bounds on the efBciency of concrete protocols 

Our security result applies to protocols which could not be analyzed with 
previously known techniques (e.g., a reduction to entanglement purification 
schemes, as proposed in SPOOJ. In particular, it allows to compute the key 
rates for new variants of known protocols. 25 For example, we propose an 
improved version of the six-state protocol and show that it is more efficient 
than previous variants. Moreover, we derive new bounds on the maximum 
tolerated channel noise of the BB84 or the six-state protocol with one-way 
post-processing. 

Explícit bounds on the security of finite keys 

The security criterion gives explicit (non-asymptotic) bounds on the secrecy 
and the length of keys generated from any (finite) number of invocations 
of the quantum channel. Moreover, it applies to schemes which use arbi- 
trary (not necessarily optimal) subprotocols for information reconciliation. 
This is in contrast to most known security results which — with a few excep- 
tions 26 — only hold asymptotically for large key sizes and for asymptotically 

22 This statement holds for virtually any QKD protocol; the only requirement is that the 
protocol is symmetric under permutations of the channel uses (see Section ll.6l for more 
details) . 

23 For example, it is difficult to design sources that emit perfect single-photon pulses. 

24 As there is no restriction on the structure of the underlying Hilbert space, the security 
criterion applies to any modeling of the physical system which is used for the quantum 
communication between Alice and Bob. 

25 E.g., we will analyze protocols that use an alternative method for the processing of 
the raw key. 

26 See, e.g., |ILM01j for a nice and very careful explicit analysis of the BB84 protocol. 
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optimal information reconciliation. 



1.4 Relat ed work 

The techniques developed in this thesis are partly motivated by ideas known 
from classical information theory and, in particular, cryptography (e.g., clas- 
sical de Finetti-style theorems, privacy amplification against classical adver- 
sàries, or universally composable security). For a discussion of these notions 
and their relation to our results we refer to SectionED In the following, we 
rather focus on work related to the security of QKD. 

Since Bennett and Brassard proposed the first QKD protocol in 1984 
BB84 , it took more than a decade until Mayers May96 proved that the 
scheme is secure against arbitrary attacks. 27 This result was followed by 
various alternative proofs (see, e.g., |CRE04| or |LCA05| for an overview). 

One of the most popular proof techniques was proposed by Shor and 
Preskill [SPOflj . based on ideas of Lo and Chau [LC99 . It uses a connection 
between key distribution and entanglement purification BB P + 96 pointed 



out by Ekert |Eke91j (see also |BBM92| ). The proof technique of Shor and 
Preskill was later refined and applied to other protocols (see, e.g., [GL03 ( 

Itkto3 |). 

In |CRE04j . we have presented a general method for proving the secu- 
rity of QKD which does not rely on entanglement purification. Instead, it 
is based on a result on the security of privacy amplification in the context 
of quantum adversàries K MR051 IRK05j . Later, this method has been ex- 
tended and applied to prové the security of new variants of the BB84 and 
the six-state protocol RGK05 , KGR05j. 28 The security proof given in this 
thesis is based on ideas developed in these papers. 

Our new approach for proving the security of QKD has already found 
various applications. For example, it is used for the analysis of protocols 
based on continuous systems as well as to improve the analysis of known 
(practical) protocols exploiting the fact that an adversary cannot control 
the noise in the physical devices owned by Alice and Bob (see, e.g., |Gro051 
INA05[lLo05j ). 



1.5 Outline of the thesis 

The following is a brief summary of the main results obtained in each chap- 
ter. 

27 Se e also |May01| for an improved version of Mayers' proof. 

28 In |RfíK05IIKGRÏ)5] we use an alternative technique (different from the quantum de 
Finetti theorem) to show that collective attacks are equivalent to coherent attacks for 
certain QKD protocols. 
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Chapter [2J Preliminaries 

The first part of this chapter (Section l2.1j) is concerned with the representa- 
tion of physical (cryptographic) systems as mathematical objects. We briefly 
review the density operator formalism which is used to describe quantum 
mechanical systems. Moreover, we present some variant of this formalism 
which is useful when dealing with physical systems that consist of both 
classical and quantum parts. 

The second part of Chapter |2] (Section I2.2j) is devoted to the security 
definition for secret keys. We first argue that many of the widely used 
definitions are problemàtic — in the sense that they do not imply the security 
of applications such as one-time pad encryption. Then, as a solution to this 
problem, we introduce a so-called universal security definition for secret keys 
and discuss its properties. 

Chapter l3l Smooth min- and max-entropy 

This chapter introduces and studies smooth min-entropy -ff min and smooth 
max-entropy ií max . which both are entropy measures for density operators. 
We first discuss some bàsic properties ÍSections 13.11 and I3.2|) which are ac- 
tually very similar to those of the von Neumann entropy (Theorem I3.2.12|) . 
For example, the smooth min-entropy is strongly subadditive, that is, 29 

H £ min (A\BC) < H £ min (A\B) , (1.1) 

and it obeys an inequality which can be interpreted as a chain rule, 

H^ in (AB\C) < H^ in (A\BC) + H max (B) . (1.2) 

Moreover, if the states in the subsystems TÍa and Tic are independent con- 
ditioned on a classical value Y then 

H £ min (AY\C) > H^ in (Y\C) + H min (A\Y) . (1.3) 

The second part of Chapter 151 ÍSection l3.3|) treats the special case where 
the density operators have product form. In this case, smooth min- and max- 
entropy both reduce to the von Neumann entropy. Formally, the smooth 
min-entropy -£f mm (^4 n |-B n ) of a product state pA n B n = °~ab satisfies 

hm -H^ in (A n \B n ) = H(A\B) , (1.4) 

n^oo n 

where H(A\B) = H{o~ab) — H{°~b) is the (conditional) von Neumann en- 
tropy evaluated for the operator oab (cf. Theorem l3.3.6l and Corollarv l3.3.7|) . 

29 We use a slightly simplified notation in this summary. For example, we write 
H^-^AIB) to denote the smooth min-entropy of a state pab given the second subsys- 
tem (instead of iïmin(PAs|B) which is used in the technical part). 
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Chapter|lJ Symmetric states 

This chapter is concerned with symmetric states, that is, states on n-fold 
product system TL® n that are invariant under permutations of the subsys- 
tems. We first show that any permutation-invariant density operator has 
a symmetric purification, which allows us to restrict our attention to the 
analysis of pure symmetric states (Section I4.2)) . 

The main result of this section is a finite version of the quantum de Fínetti 
representation theorem (Section I4..3|) , It says that symmetric states can be 
approximated by a convex combination of states which have "almost" prod- 
uct form (cf. Theorem I4,3.2|) , Formally, if p n +fc is a permutation-invariant 
operator on N = n + k subsystems Tí, then the partial state p n on Ti® n 
(obtained by tracing over k subsystems) is approximated by a mixture of 
operators i.e., 



where the integral ranges over all density operators o on one single sub- 
system Tí and v is some probability measure on these operators. Roughly 
speaking, the states are superpositions of states which, on at least n — r 
subsystems, for some small r, have product form cr® n - r . Moreover, the dis- 
tance 30 between the left and the right hand side of the approximation (jl.5j) 
decreases exponentially fast in r and k. 51 

The properties of the states p^ occurring in the convex combination (|1.5j) 
are similar to those of perfect product states a® n . The main result of Sec- 
tion ^31 can be seen as a generalization of (|1.4j) . It states that, for a state 
P a MB n w hich has almost product form cr^ (in the sense defined above, 
where ctab is a bipartite operator on TÍa ®TÍb) the smooth min-entropy is 
given by 



(see Theorem 14 . 4 . 1 P ) , 

Analogously, in Section 14.51 we show that states p^ which have almost 
product form a® n lead to similar statistics as perfect product states o® n if 
they are measured with respect to a product measurement. Formally, let 
Pz be the distribution of the outcomes when measuring a with respect to 

30 The distance is measured with respect to the Li-distance, as defined in Section f2.1.4l 
31 Note that this version of the finite quantum de Finetti representation theo- 
rem — although the same in spirit — is distinct from the the one proposed in [KR05 : 
In |KR05| . the decomposition is with respect to perfect n-fold product states a®" — instead 
of states p a n which are products on only n — r subsystems — but the approximation is not 
exponential. 

32 Note that Theorem 14.4.11 onlv implies one direction (>). The other direction (<) 
follows from a similar argument for the smooth max-entropy, which is an upper bound on 
the smooth min-entropy. 




(1.5) 




(1.6) 



n^oo n 
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a POVM M.. Moreover, let A z be the statistics (i.e., the frequency distri- 
bution) of the outcomes z = (zi, . . . , z n ) of the product measurement M® n 
applied to Then 

lim A z = P z (1.7) 

n— ïoo 

(cf. TheoremEE21). 

Chapter l5l Privacy amplification 

This chapter is on privacy amplification in the context of quantum adver- 
sàries. The main result is an explicit expression for the secrecy of a key S 
which is computed from an only partially secure string X by two- univers al 
hashing 53 ( Theor em 15 . 5 . 1 1 and Corollarv l5.6.1j) . The result implies that the 
key S is secure under the sole condition that its length i is bounded by 

£<H £ min (X\E) (1.8) 

where H^ n (X\E) denotes the smooth min-entropy of X given the adver- 
sary's initial information. 

Chapter EJ Security of QKD 

This chapter is devoted to the statement and proof of our main result on 
the security of QKD. In particular, it contains an expression for the key 
rate for a general class of protocols in terms of simple entropic quantities 
(Theorem l6.5.1l and Corollarv l6.5.2|) . (We refer to Section UrpI for an overview 
on this result and its proof.) 

Chapter [7| Examples 

As an illustration, we apply the general result of Chapter |ü] to specific types 
of QKD protocols. The focus is on schemes which are based on two-level 
systems. In particular, we analyze different versions of the six-state QKD 
protocol and compute explicit vàlues for their rates (see Plots IT7lT47.5|) . 

1.6 Outline of the security analysis of QKD 

The following is a summary of our main result on the security of quantum key 
distillation which — according to the discussion in Section li. 21 — also implies 
the security of quantum key distribution. Moreover, we give a sketch of 
the security proof, which is based on the technical results summarized in 
Section fi .51 above. (For a complete description of the security result and the 
full proof, we refer to Chapter El) 

33 That is, S is the output f(X) of a function / which is randomly chosen from a so-called 
two-universal family of hash functions (see Section f5. 41 for a definition) . 
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1.6.1 Protocol 

We start with a brief characterization of the general type of quantum key 
distillation protocols to which our security proof applies. For this, we assume 
that Alice and Bob start with N bipartite quantum systems Ha <8> Hg (de- 
scribing, e.g., pairs of entangled partides). The protocol then runs through 
the following steps in order to transform this initial entanglement between 
Alice and Bob into a common secret key. 

• Parameter estimation: Alice and Bob sacrifice some small number, say 
to, subsystems 7ía <S> ?í_b in order to estimate their average correla- 
tion. For this, they both apply measurements with respect to different 
bases and publicly announce the outcomes (using the authentic clas- 
sical communication channel). Depending on the resulting statistics, 
they either decide to proceed with the computation of the key or to 
abort the protocol. 

• Measurement: Alice and Bob both apply measurements to their parts 
of the remaining subsystems TLa <8> Hb to obtain a pair of raw keys. 
(Note that these raw keys are generally only weakly correlated and 
partially secure.) 

• Block-wise processing: Alice and Bob might 34 further process their raw 
key pair in order to improve its correlation or secrecy. We assume that 
this processing acts on n blocks of size b individually. For example, 
Alice and Bob might invoke a so-called advantage distillation protocol 
(see Section 17.1.3(1 whose purpose is to single out blocks of the raw key 
that are highly correlated. We denote by X n and Y n the strings held 
by Alice and Bob after this step. 

• Information reconciliation: The purpose of this step is to transform 
the (possibly only weakly correlated) pair of strings X n and Y n into a 
pair of identical strings. Typically, Alice sends certain error correcting 
information on X n to Bob which allows him to compute a guess X n 
of X n . 

• Privacy amplification: Alice and Bob use two-universal hashing to 
transform their strings X n and X n into secret keys of length £. 

Additionally, we assume that the action of the protocol is invariant undcr 
permutations of the iV input systems. This does not restrict the generality 
of our results, because any protocol can easily be turned into a permutation- 
invariant one: Before starting with the parameter estimation, Alice and Bob 
simply have to (publicly) agree on a random permutation which they use to 
reorder their subsystems (see Section ri.Ol below for more details). 

34 In many protocols, this step is omitted, i.e., Alice and Bob directly proceed with 
information reconciliation. 
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1.6.2 Security criterion 

The security of a key distillation scheme depends on the actual choice of 
various protocol parameters which we define in the following: 

• r is the set of states on síngle subsystems which are not filtered by 
the parameter estímatíon subprotocol: More precisely, T contains all 
density operators oab such that, when starting with the product state 
Pa n b n := a AB ' t ne protocol does not abort. 

• £xYÈ^A b B b E b i s the CPM 35 on b subsystems which describes the mea- 
surement together with the block-wíse processíng on blocks of size b. 

• n is the number of blocks of size b that are used for the actual com- 
putation of the key (i.e., the number of blocks of subsystems that are 
left after the parameter estimation step). 

• l denotes the length of the final key generated in the privacy amplifi- 
cation step. 

In addition, the security of the scheme depends on the emciency of the 
informatíon reconcilíatíon subprotocol, i.e., the amount of information that 
is leaked to Eve. However, for this summary, we assume that Alice and 
Bob use an optimal^ information reconciliation protocol. In this case, the 
leakage is roughly equal to the entropy of X n given Y n . 37 

We are now ready to formulate a general security criterion for quantum 
key distillation (cf. Theorem I6.5.1|) : The scheme described above is secure 
(for any initial state) if 38 

-< min H{X\E) - H(X\Y) , (1.9) 

where the minimum ranges over all states aAB contained in the set V defined 
above and where H(X\E) and H(X\Y) are the (conditional) von Neumann 
entropies of 

O-XYE ■= £xYÉ^A b B b E b ( cr ABE) 

where oabe is a purification of oab- Note that, because the operators oab 
are on síngle subsystems, formula is usually fairly easy to evaluate for 
concrete protocols (cf. Chapter[7|). 

Typically, the number m of subsystem that are sacrificed for parameter 
estimation is small compared to the total number N of initial subsystems. 

35 See Section f2. 1.11 for a defmition of completely positive maps (CPM). 

36 In Section f6.3l we show that optimal information reconciliation protocols exist. 

37 We refer to ChapterUJfor the general result which deals with arbitrary — not necessarily 
optimal — information reconciliation schemes. 

38 The approximation ;$ in l|1.9|l indicates that the criterion holds asymptotically for 
increasing n. We refer to ChapterE]for a non-asymptotic result. 
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Hence, the number n of blocks of size b that can be used for the actual 
computation of the key is roughly given by n ~ tt -39 The criterion (|1.9j) 
can thus be turned into an expression for the key rate of the protocol (i.e., 
the number of key bits generated per channel use): 

rate = \ min H(X\E) - H(X\Y) . 
1.6.3 Security proof 

We need to show that, for any initial state shared by Alice and Bob, 
the probability that the protocol generates an insecure key is negligible. 40 
Roughly speaking, the proof consists of two parts. In the first (Steps 1-2) 
we argue that we can restrict our analysis to a much smaller set of initial 
states, namely those that have (almost) product form. In the second part 
(Steps 3-5) we show that for each such state either of the following holds: 
(i) there is not sufhcient correlation between Alice and Bob in which case 
the protocol aborts during the parameter estimation or (ii) a measurement 
applied to the state generates an outcome with sufficient entropy such that 
the key computed from it is secure. 

Step 1: Restriction to permutation-invariant initial states 

As we assumed that the protocol is invariant under permutations of the 
input systems, we can equivalently think of a protocol which starts with 
the following symmetrization step: Alice chooses a permutation tt at ran- 
dom and announces it to Bob, using the (insecure) classical communication 
channel. Then Alice and Bob both permute the order of their N subsystems 
according to tt. Obviously, the state p^N b n of Alice and Bob's system after 
this symmetrization step (averaged over all choices of tt) is invariant under 
permutations. 

Because the state Pan b n is invariant under permutations, it has a pu- 
rification p a n b n e n (with an auxiliary system Ti.% ) which is symmetric as 
well (cf. Lemma Í4. 2.2(1 . As the pure state Pa n b n e n cannot be correlated 
with anything else (cf. Section f2.1.2|) we can assume without loss of gener- 
ality that the knowledge of a potential adversary is fully described by the 
auxiliary system. 

39 This is also true for QKD protocols with a sifting step (where Alice and Bob discard 
the subsystems for which they have used incompatible encoding and decoding bases). In 
fact, as mentioned in Section ri.2l if Alice and Bob choose one of the bases with probability 
close to one, the fraction of positions lost in the sifting step is small. 

40 Note that the protocol might abort if the initial state held by Alice and Bob is not 
sufRciently correlated. 
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Step 2: Restriction to (almost) product states 

Because p a n b n e n is invariant under permutations, it is, according to our 
finite version of the de Finetti representation theorem approximated by a 
mixture of states which have "almost" product form cr? BB — in the sense 
described by formula ()1.5|) . 

Step 3: Smooth min-entropy of Alice and Bob's raw keys 

Assume for the moment that the joint initial state p a n b n e n held by Alice, 
Bob, and Eve has perfect product form cr®g E . As Alice and Bob's mea- 
surement operation (including the block-wise processing) £xy<-AB acts on 
n blocks of size b individually, the density operator px n Y n E n which describes 
the situation before the information reconciliation step is given by 

PX n Y n E n = (SxY^AB <8> ÏÚ-E)® n {PA bn B bn E bn ) : 

where X n and Y n is Alice and Bob's raw key, respectively. Consequently, 
px^Y n E n is the product of operators of the form 

&XYE = {£xY^-AB®ià E ){af BE ) . (1.10) 

By (|1.4j) , the smooth min-entropy of px n E n is approximated in terms of the 
von Neumann entropy of (Jxe, i-e., 

H^ n (X n \E n ) > nH{X\E) . (1.11) 

Using p.6|) . this argument can easily be generalized to states Pa n b n e n 
which have almost product form. 

Step 4: Smooth min-entropy after information reconciliation 

In the information reconciliation step, Alice sends error correcting infor- 
mation C about X n to Bob, using the authentic classical communication 
channel. Eve might wiretap this communication which generally decreases 
the smooth min-entropy of X n from her point of view. 

As mentioned above, we assume for this summary that the information 
reconciliation subprotocol is optimal with respect to the amount of informa- 
tion leaked to Eve. It follows from classical coding theory that the number of 
bits that Alice has to send to Bob in order to allow him to compute her value 
X n is given by the Shannon entropy of X n conditioned on Bob's knowledge 
Y n . Formally, if px n Y n has product form then the communication C 
satisfies 

iímax(C) - H min (C\X n ) « nH{X\Y) , (1.12) 

where H{X\Y) is the Shannon entropy of X given Y, evaluated for the 
probability distribution defined by axY- (Note that the entropy difference 
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on the left hand side can be interpreted as a measure for the information 
that C gives on X n .) 

Let us now compute a lower bound on the smooth min-entropy of X n 
given Eve's knowledge after the information reconciliation step. By the 
chain rule (jl.2j) . we have 

H Lmi xn \CE n ) > H^ in (X n C\E n ) - H max (C) . 

Moreover, because C is computed from X n , we can apply inequality (|1.3|) . 
i.e., 

HLin(X n C\E n ) > H^ lÍTÍ (X n \E n ) + H m i n (C\X n ) . 
Combining this with 12f) gives 

-^mm(^ n |C^ íl ) > H^ ain (X n \E n ) — (-ffmax(C) ~ ^min(C|^ n )) 

^H^ m (X n \E n )-nH(X\Y) . 
Finally, using the approximation for H^ ain (X n \E n ), we conclude 

H^ in (X n \CE n ) > nH{X\E) - nH(X\Y) . (1.13) 

Step 5: Security of the key generated by privacy amplification 

To argue that the key generated in the final privacy amplification step is 
secure, we apply criterion (|1.8|) . Because the adversary has access to both the 
quantum system and the classical communication C, this security criterion 
reads 

l<H £ min (X n \E n C) (1.14) 

where l is the length of the key. 

As shown in Step 2, the state p^n b n e n has almost product form cr®g E . 
Hence, according to (|1.7|) . the statistics obtained by Alice and Bob in the 
parameter estimation step corresponds to the statistics that they would 
obtain if they started with a perfect product state cr®^. We conclude that, 
by the definition of the set T, the protocol aborts whenever oab ^ T. 

To bound the smooth min-entropy of the string held by Alice before 
privacy amplification, it thus suffices to evaluate H1.13JI f° r au states oab 
contained in T. Formally, 

-H £ mi JX n \CE n ) > min H(X\E) - H(X\Y) . 

n ~ &ABE 

where the minimum is over all (pure) states uabe such that oab S T and 
where H(X\E) and H(X\Y) are the entropies of the state oxye given 
by Ijl.lflJ) . Combining this with criterion (|1.14j) concludes the proof. 
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2.1 Representation of physical systems 

2.1.1 Density operators, measurements, and operations 

Quantum mechanics, like any other physical theory, allows us to make cer- 
tain predictions about the behavior of physical systems. These are, however, 
not deterministic — a system's initial state merely determines a probability 
distribution over all possible outcomes of an observation. 1 

Mathematically, the state of a quantum mechanical system with d de- 
grees of freedom is represented by a normalized nonnegative 2 operator p, 
called density operator, on a <i-dimensional Hilbert space H. The normal- 
ization is with respect to the trace norm, i.e., \\p\\i = tr(p) = 1. In the 
following, we denote by V(Ti) the set of nonnegative operators on TC, i.e., p 
is a density operator on TL if and only if p € V(7í) and tr(p) = 1. 

Any observation of a quantum system corresponds to a measurement 
and is represented mathematically as a positive operator valued measure 
(POVM), i.e., a family M = {M w } wG vv of nonnegative operators such that 
~^2 w£ yv M w = id-ft. The theory of quantum mechanics postulates that the 
probability distribution Pw of the outcomes when measuring a system in 
state p with respect to M is given by P\v(w) := tr (M w p). 

Consider a physical system whose state p z depends on the value z of a 
classical random variable Z with distribution Pz- For an observer which is 
ignorant of the value of Z, the state p of the system is given by the convex 

1 With his famous statement "Gott würfelt nicht," Einstein expressed his doubts about 
the completeness of such a non-deterministic theory. 

2 An operator p on Tí is nonnegative if it is hermitian and has nonnegative eigenvalues. 
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combination 3 

p=Y J Pz{z)f . (2.1) 

z&Z 

The decomposition 1)2. 1|) of a density operator p is generally not unique. 
Consider for example the fully mixed state defined by p := ^^pm ^H- in 
the case of a two-level system, p might represent a photon which is polarized 
horizontally or vertically with equal probabilities; but the same operator p 
might also represent a photon which is polarized according to one of the two 
diagonal directions with equal probabilities. In fact, the two settings cannot 
be distinguished by any measurement. 

A physical process is most generally described by a linear mapping £, 
called a quantum operation, which takes the system's initial state p to its 
final state p'. 4 Mathematically, a quantum operation £ is a completely posi- 
tive map ( CPM) 5 from the set of hermitian operators on a Hilbert space Tí 
to the set of hermitian operators on another Hilbert space Tí' . Additionally, 
in order to ensure that the image £ (p) of a density operator p is again a 
density operator, £ must be trace-preserving , i.e., tr(£(p)) = tr(p), for any 
p G V(7i). It can be shown that any CPM £ can be written as 

£{p) = E wP El (2.2) 

where {E w } w ^y^ is a family of linear operators from Tí to Tí'. On the other 
hand, any mapping of the form (|2.2j) is a CPM. 6 Moreover, it is trace- 
preserving if and only if Y^w&V E ^E W = id w . 

As we have seen, the state of a quantum system might depend on some 
classical event (e.g., that Z takes a certain value z). In this context, it is 
often convenient to represent both the probability Pr[í2] of and the state 
p n of the system conditioned on as one single mathematical object, namely 
the nonnegative operator p n := Pr[ü] ■ p n J For this reason, we formulate 
most statements on quantum states in terms of general (not necessarily 
normalized) nonnegative operators. Similarly, we often consider general (not 
necessarily trace-preserving) CPMs £. The quantity tr(£(p)) can then be 

3 Because a measurement is a linear mapping from the set of density operators to the set 
of probability distributions, this is consistent with the above description. In particular, the 
distribution of the outcomes resulting from a measurement of p is the convex combination 
of the distributions obtained from measurements of p z . 

4 A measurement can be seen as a special case of a quantum operation where the 
outcome is classical (see Section f2.1.3H . 

5 Complete positivity means that any extension £ ® id of the map £ , where id is the 
identity map on the set of hermitian operators on some auxiliary Hilbert space Tí" , maps 
nonnegative operators to nonnegative operators. Formally, (£ ® id)(p) G V(Tí' ® H") for 
any p £V(H®H"). 

6 This is in fact a direct consequence of Lemma lB.5.11 

7 The probability of the event fi is then equal to the trace of p n , i.e., Pr[fi] = tr(p n ), 
and the system's state conditioned on fi is p n = p r | n , p n . 
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interpreted as the probability that the process represented by £ occurs when 
starting with a system in state p. 

2.1.2 Product systems and purifications 

To analyze complex physical systems, it is often convenient to consider a 
partitioning into a number of subsystems. This is particularly useful if 
one is interested in the study of operations that act on the parts of the 
system individually. 8 Mathematically, the partition of a quantum system 
into subsystems induces a product structure on the underlying Hilbert space. 
For example, the state of a bipartite system is represented as a density 
operator pab on a product space TLa ®TLb- The state of one part of a 
product system is then obtained by taking the corresponding partial trace 
of the overall state, e.g., pa = ^b(pab) for the first part of a bipartite 
system. 

A density operator p on Tí is said to be pure if it has rank 9 one, that 
is, p = \0)(9\, for some \6) G Tí. If it is normalized, p is a projector 10 onto 
|#). A pure density operator can only be decomposed trivially, i.e., for any 
decomposition of the form (j2.2|) . p z = p holds for all z £ Z. According to the 
above interpretation, one could say that a pure state contains no classical 
randomness, that is, it cannot be correlated with any other system. 

The fact that a pure state cannot be correlated with the environment 
plays a crucial role in cryptography. It implies, for example, that the ran- 
domness obtained from the measurement of a pure state is independent of 
any other system and thus guaranteed to be secret. More generally, let pa be 
an arbitrary operator on TLa and let pae be a purification of pa, i-e., pae is 
a pure state on a product system TÍa®TÍe such that íteÍPAe) = PA- Then, 
because pae is uncorrelated with any other system, the partial system TÍe 
comprises everything that might possibly be correlated with the system TÍa 
(including the knowledge of a potential adversary) . 

2.1.3 Quantum and classical systems 

Consider a classical random variable Z with distribution Pz on some set Z. 
In a quantum world, it is useful to view Z as a special case of a quantum 
system. For this, one might think of the classical vàlues z 6 Z as being 
represented by orthogonal 11 states \z) on some Hilbert space Tiz- The state 

8 This is typically the case in the context of cryptography, where various parties control 
separated subsystems. 

9 The rank of a hermitian operator S, denoted rank(S'), is the dimension of the support 
supp(S), i.e., the space spanned by the eigenvectors of S with nonzero eigenvalues. 
10 A hermitian operator P is said to be a projector if PP = P. 

n The orthogonality of the states \z) guarantees that they can be distinguished perfectly, 
as this is the case for classical vàlues. 
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pz of the quantum system is then defined by 

Pz = J2 P z(z)\z)(z\ • (2-3) 

We say that pz is the operator representatíon of the classical distribution 
Pz (with respect to the basis {\z)} z çz )- 12 

On the other hand, any operator pz can be written in the form (|2.3j) 
where Pz(z) are the eigenvalues of pz and \z) are the corresponding eigen- 
vectors. The right hand side of ()2.3j) is called the spectral decomposition of 
pz- Moreover, we say that Pz is the probabílity distribution defined by pz- 

This notion can be extended to hybrid settings where the state p A of a 
quantum system Ha depends on the value z of a classical random variable 
Z (see, e.g., |DW05| ) . The joint state of the system is then given by 

PAZ = ^2pa®\z){z\ , (2-4) 

zez 

where p\ := Pz{z)p\. 

We can also go in the other direction: If a density operator has the 
form (|2.4jl . for some basis {|z)} ze ,2, then the first subsystem can be inter- 
preted as the representation of a classical random variable Z . This motivates 
the following definition: An operator paz £ VÍ^Ha ®TLz) is said to be clas- 
sical with respect to {\z}} z ez if there exists a family {p A } z£ z of operators 
on Ha, called (non-normalized) conditíonal operators, such that paz can be 
written in the form ()2.4|) , Moreover, we say that paz is classical on Hz if 
there exists a basis of TLz such that paz is classical with respect 

to {\z)} zez . 13 

A similar definition can be used to characterize quantum operations (i.e., 
CPMs) whose outcomes are partly classical: A CPM £ from H to Ha <8> Hz 
is said to be classical with respect to {\z)} Z £z (or simply classical on Hz) if 
it can be written as 

= ££»®|z><*l , 

zS-Z 

where, for any z £ Z, E z is a CPM from H to Ha- Note that a measurement 
on 7i with outcomes in Z can be seen as a CPM from H to which is 
classical on Hz- 

12 This definition can easily be generalized to multi-partite nonnegative (not necessarily 
normalized) functions (e.g., Pxy £ V(X x y), where V(X x y) denotes the set of non- 
negative functions on X x y) in which case one gets nonnegative operators on product 
systems (e.g., pxy € V(TCx ® T~Iy)). 

13 The operators p\, for z 6 Z, are uniquely defined by paz and the basis 
Moreover, because paz is nonnegative, the operators p\, for z £ Z, are also nonnegative. 
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2.1.4 Distance between states 

Intuitively, we say that two states of a physical system are similar if any 
observation of them leads to identical results, except with small probability. 
For two operators p, p' G V(TÍ) representing the state of a quantum system, 
this notion of similarity is captured by the Li-dístance, i.e., the trace norm 14 
\\p — p'\\i of the difference between p and p'. 15 The Li-distance for operators 
can be seen as the quantum version of the Li-distance for probability distri- 
butions 16 (or, more generally, nonnegative functions), which is defined by 
HP-P'Hi := J2z \ P ( Z ) - p '(z)l for P > P ' G 'Pi 2 )- In particular, if p and pi 
are operator representations of probability distributions P and P', respec- 
tively, then the Li-distance between p and p' is equal to the Li-distance 
between P and P'. 

Under the action of a quantum operation, the Li-distance between two 
density operators p and p 1 cannot increase (cf . Lemma IA.2.1j) . Because 
any measurement can be seen as a quantum operation, this immediately 
implies that the distance \\P — P'\\i between the distributions P and P' 
obtained from (identical) measurements of two density operators p and p', 
respectively, is bounded by \\p — p'Hi. 

The following proposition provides a very simple interpretation of the 
Li-distance: If two probability distributions P and P' have Li-distance at 
most 2e, then the two settings described by P and P', respectively, cannot 
differ with probability more than e. 

Proposition 2.1.1. Let P,P' E V(X) be probability distributions. Then 
there exists a joint distribution Pxx' such that P and P' are the marginals 
of Pxx 1 (i-e., P = Px, P' = Px' ) ornà, for (x, x') chosen according to Pxx 1 , 

Pr [x / x] < -||P- P'||i . 

(x,x') 2 

In particular, if the Li-distance between two states is bounded by 2e, 
then they cannot be distinguished with probability more than s. 

2.2 Universal security of secret keys 

Cryptographic primitives (e.g., a secret key or an authentic communication 
channel) are often used as components within a more complex system. It is 
thus natural to require that the security of a cryptographic scheme is not 
compromised when it is employed as part of another system. This require- 
ment is captured by the notion of universal security. Roughly speaking, 

14 The trace norm \\S\\i of a hermitian operator S on TC is defined by ||S||i := tr(|5'|). 

15 The Li-distance between two operators is closely related to the trace distance, which 
is usually defined with an additional factor ï. 

16 The Li-distance between classical probability distributions is also known as variational 
distance or statistical distance (which are often defined with an additional factor =)■ 
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we say that a cryptographic primitive is universally secure if it is secure in 
any arbitrary context. For example, the universal security of a secret key 
S implies that any bit of S remains secret even if some other part of S is 
given to an adversary. 

In the past few years, universal security has attracted a lot of interest 
and led to important new definitions and proofs (see, e.g., the so-called uni- 
versal composabílity framework of Canetti |Can01| or Pfitzmann and Waid- 
ner |PW00| 1. Recently, Ben-Or and Mayers |BÜM04j and Unruh |Unr04j 
have generalized Canetti's notion of universal composability to the quantum 
world. 

Universal security definitions are usually based on the idea of charac- 
terizing the security of a real cryptographic scheme by its distance to an 
ideal system which (by definition) is perfectly secure. For instance, a secret 
key S is said to be secure if it is close to a perfect key U, i.e., a uniformly 
distributed string which is independent of the adversary's information. As 
we shall see, such a definition immediately implies that any cryptosystem 
which is proven secure when using a perfect key U remains secure when U 
is replaced by the (real) key S. 

2.2.1 Standard security definitions are not universal 

Unfortunately, many security definitions that are commonly used in quan- 
tum cryptography are not universal. For instance, the security of the key S 
generated by a QKD scheme is typically defined in terms of the mutual infor- 
mation I(S; W) between S and the classical outcome W of a measurement 
of the adversary's syst em (see, e.g jLÜ99l ISTÜOl IJN ( JOOI IÜL031 IL( : A05j and 
also the discussion in BOH L + 05 and |B,K05| ) . Formally, S is said to be 



secure if, for some small e, 



maxI(S;W) < e , (2.5) 



where the maximum ranges over all measurements on the adversary's system 
with output W. Such a definition — although it looks reasonable — does, 
however, not guarantee that the key S can safely be used in applications. 
Roughly speaking, the reason for this flaw is that criterion 1)2. 5 J) does not 
account for the fact that an adversary might wait with the measurement 
of her system until she learns parts of the key. (We also refer to RK05 
and |BOHL+05| for a more detailed discussion and an analysis of existing 



security definitions with respect to this concern. 



Note that the conclusions in BO HL+05| are somewhat difïerent to ours: It is shown 
that existing privacy conditions of the form i'2.~>t do imply universal secu rity, which s eems 
to contradict the counterexample sketched below. However, the result of |BQHL + 05| only 
holds if the parameter e in 1)2. 5|l is exponentially small in the key size, which is not the 
case for most of the existing protocols. (In fact, the security parameter e can only be 
made exponentially small at the expense of decreasing the key rate substantially.) 
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Let us illustrate this potential problem with a concrete example: Assume 
that we would like to use an n-bit key S = (S'í, . . . , S n ) as a one-time pad to 
encrypt an n-bit message M = (Mi, . . . , M„). 18 Furthermore, assume that 
an adversary is interested in the nth bit M n of the message, but already 
knows the first n — 1 bits Mi, . . . , M„_i. Upon observing the ciphertext, the 
adversary can easily determine 19 the first n — 1 bits of S. Hence, in order 
to guarantee the secrecy of the nth message bit M n , we need to ensure that 
the adversary still has no information on the nth key bit S n , even though 
she already knows all previous key bits S±, . . . , S n -i. This requirement, 
however, is not implied by the above definition. Indeed, for any arbitrary 
e > and n depending on e, it is relatively easy to construct examples 
which satisfy (|2.5j) whereas an adversary — once she knows the first n — 1 
bits of the key — can determine the nth bit S n with certainty. For an explicit 
construction and analysis of such examples, we refer to jBarf)5| . 20 

2.2.2 A universal security definition 

Consider a key S distributed according to Ps and let p s E be the state of the 
adversary's system given that S takes the value s, for any element s of the 
key space S. According to the discussion in Section 12.1.31 the joint state of 
the classical key S and the adversary's quantum system can be represented 
by the density operator 



where {|s)} s& s is an orthonormal basis of some Hilbert space Tís- We say 
that S is e-secure with respect to TÍe if 



The universal security of a key S satisfying this definition follows from a 
simple argument: Criterion (|2.fij) guarantees that the real situation described 
by Pse is e-close — with respect to the Li-distance — to an ideal situation 
where S is replaced by a perfect key U which is uniformly distributed and 
independent of the state of the system TÍe- Moreover, since the Li-distance 
cannot increase when applying a quantum operation (cf. Lemma IA.2.1|) . 
this also holds for any further evolution of the world (where, e.g., the key is 
used as part of a larger cryptographic system). In fact, it follows from the 

18 That is, the ciphertext C = (Ci,...,C„) is the bit-wise XOR of 5" and M, i.e., 

Ci = Si ® Mi. 

19 Note that S l = Mi ® d. 

20 This phenomenon has also been studied in other contexts (see, e.g., |DHL + 04l 
IHLSWOl) ') where it is called as locking of classical correlation. 



PSE :=J2 P S{ S )\ S )( S \®PE 



In 1 1 

7j\\PSE ~ PU® PeWí < £ 



(2.6) 
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discussion in Section [2.1.41 that an e-secure key can be considered identical 
to an ideal (perfect) key — except with probability e. 21 In particular, an 
e-secure key is secure within any reasonable framework providing universal 
composability (e.g., |BÜM04j or jUnrÜ4j). 22 

The security of a key according to (j2.fi j) also implies security with respect 
to most of the Standard security definitions in quantum cryptography. For 
example, if S is e-secure with respect to TLe then the mutual information 
between S and the outcome of any measurement applied to the adversary's 
system is small (whereas the converse is often not true, as discussed above). 
In particular, if the adversary is purely classical, Q2.6J1 reduces to a classical 
security definition which has been proposed in the context of information- 
theoretically secure key agreement (see, e,g., |DM04| ). 



21 For this statement to hold, it is crucial that the criterion (12. (>t is formulated in terms 
of the Li-distance (instead of other distance measures such as the fidelity). 

22 These frameworks are usually based on the so-called siraulatabüity paradigm. That is, 
a real cryptosystem is said to be as secure as an ideal cryptosystem if any attack to the real 
scheme can be simulated by an attack to the ideal schcme (see also MRH04 ). It is easy 
to see that our security criterion is compatible with this paradigm: Consider a (real) key 
agreement protocol and assume that, for any possible attack of the adversary, the final key 
satisfies (12.61 . The adversary's quantum state after the attack is then almost independent 
of the key, that is, the adversary could simulate virtually all her information without even 
interacting with the cryptosystem. The real key agreement protocol is thus as secure as 
an ideal key agreement scheme which, by definition, does not leak any information at all. 
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(Smooth) Min- and 
Max-Entropy 

Entropy measures are indispensable tools in classical and quantum infor- 
mation theory. They quantify randomness, that is, the uncertainty that an 
observer has on the state of a (quantum) physical system. In this chap- 
ter, we introduce two entropic quantities, called smooth min-entropy and 
smooth max-entropy. As we shall see, these are useful to characterize ran- 
domness with respect to fundamental information-theoretic tasks such as the 
extraction of uniform randomness or data compression. 1 Moreover, smooth 
min- and max-entropies have natural properties which are similar to those 
known from the von Neumann entropy and its classical special case, the 
Shannon entropy 2 (Sections l3.ll and l3.2j) . In fact, for product states, smooth 
min- and max-entropy are asymptotically equal to the von Neumann entropy 
(Section I3.3|) . 

Smooth min- and max-entropies are actually families of entropy measures 
parameterized by some nonnegative real number e, called smoothness. In 
applications, the smoothness is related to the error probability of certain 
information-theoretic tasks and is thus typically chosen to be small. We 
first consider the "non-smooth" special case where e = (Section 13. This 
is the basis for the general definition where the smoothness e is arbitrary 
(Section ESP- 

We will introduce a conditional version of smooth min- and max-entropy. 
It is defined for bipartite operators pab on TLa'Si'Hb and measures the uncer- 
tainty on the state of the subsystem Tía given access to the subsystem Tíb- 
Unlike the conditional von Neumann entropy H{A\B) := H(pab) — H(ps), 

1 Randomness extraction is actually privacy amplification and is the tòpic of Chap- 
ter 13 Data compression is closely related to information reconciliation which is treated 
in Section [fi. 81 

2 The Shannon entropy of a probability distribution P is defined by H(P) := 
— P(x) log P(x), where log denotes the binary logarithm. Similarly, the von Neumann 
entropy of a density operator p is H(p) := — tr(plogp). 
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however, it cannot be written as a difference between two "unconditional" 
entropy measures. 

To illustrate our definition of (conditional) min- and max-entropy, let 
us, as an analogy, consider an alternative formulation of the conditional von 
Neumann entropy H(A\B). Let 

H(pabWb) ■= -tr (pAB(logpAB ~ logidA &> <jb)) , (3.1) 

for some state crg on TLb- This quantity can be rewritten as 

H(pab\(tb) = H(pab) - H{p B ) - D(pb\\<jb) , 

where D(pb\\ctb) is the relative entropy 3 of ps to as- Because D(pb\\(Jb) 
cannot be negative, this expression takes its maximum for <tb = Pb, hi which 
case it is equal to H{A\B). We thus have 

H(A\B) = sup H (p abW B ) , (3.2) 

where the supremum ranges over all density operators cjb on TLb- 

The definitions of (smooth) min- and max-entropies are inspired by this 
approach. We first introduce a quantity which corresponds to (|3.1|) (cf. Def- 
initions and and then define our entropy measures by a formula 
of the form (JH2I) (Definitions EU and E22J). 

3.1 Min- and max-entropy 

This section introduce a "non-smooth" version of min- and max-entropy. It 
is the basis for the considerations in Section [3.21 where these entropy mea- 
sures are generalized. The focus is on min-entropy, which is used extensively 
in the remaining part of the thesis. However, most of the properties derived 
in the following also hold for max-entropy. 

3.1.1 Definition of min- and max-entropy 

Definition 3.1.1. Let p A B G V{Ha ®Hb) and a B € V(H B )- The min- 
entropy of pab relative to cr^ is 

H m m(pAB\<7B) := -logA 

where A is the minimum real number such that À • Ï(1a <S> o~b — Pab is non- 
negative. The max-entropy of pab relative to o~b is 

H maiX (pAB\o-B) ■= logtr((icU 8) o- b )pab) 

where p AB denotes the projector onto the support of pab- 

3 The relative entropy D(p\\a) is defined by D(p\\a) := ti(plogp) — tr(plogcr). 
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Definition 3.1.2. Let pab G VÍ^Ka ® T~Íb)- The min-entropy and the 
max-entropy of pab given TÍb are 

H min (pAB\B) := SUp H m i n (pAB\<7B) 
H max (pAB\B) := SUpÍí max (/9AB|0"B) , 

O'S 

respectively, where the supremum ranges over all ob G V(TÍb) with tr(<7s) = 
1. 

Remark 3.1.3. It follows from Lemma lB.5.3l that the min-entropy of pab 
relative to as, for as invertible, can be written as 

H min (p A BWB) = -log A max ((icU (g> a B 1/2 )p J 4B(idA ® o"íj 1/2 )) , 

where À max (·) denotes the maximum eigenvalue of the argument. 

IïTíb is the trivial space C, we simply write H m \ n (pA) and H maiX (pA) to 
denote the min- and the max-entropy of pa, respectively. In particular, 

H min (pA) = -logA max (/) j4 ) 
H miíX (pA) = logrank(pA) • 

The classical analogue 

The above defmitions can be specialized canonically to classical probability 
distributions. More precisely, for Pxy E V(X x y) and Qy G V(y), we 
have 

HminiPxYlQy) '■= Hmin(PXY\o'Y) 
H max (PxY\QY) '■= H^skÍPXyWy) 

where pxy and oy are the operator representations of Pxy and Qy, respec- 
tively (cf. Section l^.l.3|) , 

Remark 3.1.4. Let P X y G V(X x y) and Qy G P(^). Then 5 
Hmm{PxY\QY) = -log max max 



íímax(Pxy|Qy) = log ^ Qy(y) • |supp(if 



2yesupp(Qy) xeA· Qy(y) 

>ï/\| 

A7 ' 



where P x denotes the function : x \— ► Pxy(x,v)- in particular, 
fímax(-Pxyl^) = logmax|supp(P|-)| . 



4 Similarly, the Shannon entropy can be seen as the classical special case of the von 
Neumann entropy. 

J The support of a nonnegative function / G V(X), denoted supp(/), is the set of vàlues 
x G X such that f(x) > 0. 
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3.1.2 Basic properties of min- and max-entropy 

Min-entropy cannot be larger than max-entropy 

The following lemma gives a relation between min- and max-entropy. It 
implies that, for a density operator p A Bi the min-entropy cannot be larger 
than the max-entropy. 

Lemma 3.1.5. Let pab £ V(Ha <8> H B ) and a B G V{Hb)- Then 
H min {pAB\crB) +logtr(pAB) < H^^pabWb) ■ 

Proof. Let p AB be the projector onto the support of pab and let A > 
such that H m i n (pA B \cr B ) = — log À, i.e., À • id^ <8> <r B — Pab is nonnegative. 
Using the fact that the trace of the product of two nonnegative operators is 
nonnegative (Lemma IB.5.2|) . we have 

tr(A • (\à A ® cfb)pab) ~ ^(pab) = tr((A • id A ®cr B - PAb)p°ab) > • 
Hence, 

log tr ((idA <8> ctb)pab) > logtr(pAB) - log A . 

The assertion then follows by the definition of the max-entropy and the 
choice of A. □ 

Additivity of min- and max-entropy 

The von Neumann entropy of a state which consists of two independent 
parts is equal to the sum of the entropies of each part, i.e., H(pa &> p A ') = 
H(pa) + H(pa')- This also holds for min- and max-entropy. 

Lemma 3.1.6. Let pab £ V(Ha <8> Hb), cr B S V{H b ) and, símílarly, 
PA'B' 6 V(Ha<®H b <), o B , E V{H B ')- Then 

HminiPAB &> PA'B'Wb <8> O B >) = H min (pAB\o~B) + Hmin(PA'B' W B') 
H max (pAB ® PA'B'Wb ® &B') = H^^PabWb) + Hmax(pA'B'WB') ■ 

Proof. The statement follows immediately from Definition 13.1.11 □ 
Strong subadditivity 

The von Neumann entropy is subadditive, i.e., H(A\BC) < H(A\B), which 
means that the entropy cannot increase when conditioning on an additional 
subsystem. This property can be generalized to min- and max-entropy. 

Lemma 3.1.7. Let p A BC G V(Ha ® Hb <8> Ho) and a BC € V(H B ® Wc). 
T/ien 

HminiPABcWBc) < -Hmin | O'S ) 
Hmax {pABC l&Bc) < #max(pAB|0'.B) . 
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Note that, for min-entropy, the statement follows directly from the more 
general fact that the entropy cannot decrease under certain quantum oper- 
ations (cf. Lemma 13. 1.12(1 . 

Proof. Let A > such that — log À = H m \ n (pABc\&Bc)i Le., A • id,4 (g) a B c — 
PABC is nonnegative. Because the operator obtained by taking the partial 
trace of a nonnegative operator is nonnegative, A • id^ <8> o B — pab is also 
nonnegative. This immediately implies — logA < -ff m m(pAs|c"s) and thus 
concludes the proof of the statement for min-entropy. 

To show that the assertion also holds for max-entropy, let p AB and p ABC 
be the projectors on the support of pab and pabc-, respectively. Because 
the support of pabc is contained in the tensor product of the support of pab 
and Tic (cf- Lemma TBAip . the operator p AB <g) ide — Pabc ls nonnegative. 
Moreover, because the trace of the product of two nonnegative operators is 
nonnegative (cf. Lemma IB. 5.2(1 . we find 

tr((icU <g) (Tb)pab) ~ tr((id j4 <g> o B c)Pabc) 

= tr((id A ® (tbc){p°ab ® ide - P%c)) > • 
The assertion then follows by the definition of the max-entropy. □ 

Note that the strong subadditivity of the max-entropy together with 
Lemma EH1 implies that H m \ n {pAB\^B) < H ma _ x (pA), for density operators 
PAB and as- 

Conditioning on classical information 

The min- and max-entropies of states which are partially classical can be 
expressed in terms of the min- and max-entropies of the corresponding con- 
ditional operators (see Section l2. 1.3(1 . 

Lemma 3.1.8. Let p AB z £ V{H A ®TL B ® Hz) and a B z G V{H B ® U z ) be 
classical with respect to an orthonormal basis {\z)} z ^z offíz, and let p AB 
and o~ B be the corresponding (non-normalized) condítional operators. Then 

H m in(PABz\o-Bz) = hlf H min (p AB \o- Z B ) 

H^ÍPabzWbz) = log]T 2 H — Wab\° z b) . 

z<íZ 

Proof. Because the vectors \z) are mutually orthogonal, the equivalence 

A • ià-A o~ B z - pabz G V(TÍa ®T-i B ® Hz) 

Vze Z : X ■ ià-A ® <y z B — Pab G V(H a ® H B ) (3.3) 

holds for any A > 0. The assertion for the min-entropy then follows from 
the fact that the negative logarithm of the minimum A satisfying the left 



CHAPTER 3. (SMOOTH) MIN- AND MAX-ENTROPY 



39 



hand side and the right hand side of ()3.3|) are equal to the quantities 
H m m{pABz\crBz) and wi zeZ H min (p z AB \a z B ), respectively. 

To prové the statement for the max-entropy, let p\ BZ and (p^g) , for z G 
Z, be projectors onto the support of pabz and p AB , respectively. Because 
the vectors \z) are mutually orthogonal, we have 

Pabz = J2(i 3 ab) ®\ z )( z \ > 

and thus 

tr((id A ® (Tbz)Pabz) = Yl tr (( idA ® ^bXpab) ) • 
The assertion then follows by the definition of the max-entropy. □ 

Classical subsystems have nonnegative min-entropy 

Similarly to the conditional von Neumann entropy, the min- and max- 
entropies of entangled systems can generally be negative. This is, however, 
not the case for the entropy of a classical subsystem. Lemma 13.1.91 below 
implies that 

H m m(pxc\pc) > , 

for any density operator pxc which is classical on the first subsystem 6 . By 
Lemma 13.1.51 the same holds for max-entropy. 

Lemma 3.1.9. Let pxbc £ ViTCx ® 'Hb <S> He) be classical on Hx and let 
o c e V(H C )- Then 

HminiPXBcWc) > Hmin{PBC \°~c) ■ 

Proof. Let A > such that — logA = H m \ n {pBc\&c)- Because pxbc is 
classical on Hx-, there exists an orthonormal basis {|j;)} xe ^' and a family 
{Pbc}x&x of operators on Hb ®Hc such that pxbc = Y^xeX \ x )( x \ ®Pbc- 
By the definition of À, the operator 

A • idg <g> o c - ^2 Pbc = A • id B ® ac - pbc 

is nonnegative. Hence, for any x £ X, the operator A • id# <8> oc — p x BC must 
also be nonnegative. This implies that the operator 

A • idxs ®o c - Pxbc = ^ A • \x){x\ ® \à B ® oc - \x)(x\ ® p x BC 

is nonnegative as well. We thus have — log A < -ff m in(px_Bc| cr c)) from which 
the assertion follows. □ 



To see this, let TLb be the trivial space C and set ac = pc- 
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3.1.3 Chain rules for min-entropy 

The chain rule for the von Neumann entropy reads H(AB\C) = H(A\BC) + 
H(B\C). In particular, since H{B\C) cannot be larger than H(B), we have 
H(AB\C) < H(A\BC) + H(B). The following lemma implies that a similar 
statement holds for min-entropy, namely, 

H m in{PABc\C) < H min (pABc\BC) + -ff m ax(/?s) • 

Lemma 3.1.10. Let p ABC G V(H A ^Hb® Hc), o~c G V{Hc), and let 
o~B G *P(Hb) be the fully mixed state on the support of ps- Then 

H m in(PABcWc) = Hmin(PABc\o~B ® 0"c) + H ma _ x (p B ) ■ 

Proof. Let := supp(ps) be the support of /jb and let A > 0. The 
operator crg can then be written as crg = Tan ^ PB ) ^B' , where ids' is the 
identity on TLb 1 ■ Hence, because the support of pabc is contained in Ha ® 
Hb> <8> Hc (cf. Lemma IB.4.1|) . the operator À • id^ <8> <tb £3 o~c — Pabc is 
nonnegative if and only if the operator À • rank (p B ) • idA <8> ids <S> oc — /oa_bc 
is nonnegative. The assertion thus follows from the definition of the min- 
entropy and the fact that H meí x{pB) = log rank( / o^). □ 

Data processing 

Let A, Y, and C be random variables such that A <-> Y *-* C is a Markov 
chain, i.e., the conditional probability distributions PAC\Y=y have product 
form P4|y=y x ^ > C|Y=y The uncertainty on A given Y is then equal to 
the uncertainty on A given Y and C, that is, in terms of Shannon en- 
tropy, H(A\Y) = H(A\YC). Hence, by the chain rule, we get the equality 
H(AY\C) = H(Y\C) + H(A\Y). 

The same equality also holds for quantum states payc on TÍa®'Hy®'Hc 
which are classical on Tíy and where, analogously to the Markov condition, 
the conditional density operators p y AC have product form, i.e., p v AC = p y A ® 
Pq. The following lemma generalizes this statement to min-entropy. 

Lemma 3.1.11. Let payc G V(TLa®7~(-y ®Hc) be classical wíth respect to 
an orthonormal basis {\y)} y ey ofTíy such that the corresponding conditional 
operators p v AC , for any y £ y, have product form and let ac G V(Tíc)- Then 

H m i n (pAYc\o~c) > Hmm{PYC\o'c) + H min (pAY\PY) ■ 

Proof. For any y G y, let p y := tv(p y AC ) and let p v AC := ^Pac De ^ e 
normalization of p\ c - The operator payc can then be written as 

payc = ^2pyp y A ® \y)(y\ ® Pc ■ 

yey 
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Let A,A' > such that -logA = H min (pycWc), -logA' = H min (p A Y\pY)- 
Because the vectors \y) are mutually orthogonal, it follows immediately from 
the definition of the min-entropy that the operators A • oq ~ Py ' Pc an< ^ 
A' • i<1a — p\ are nonnegative, for any y G y. Consequently, the operator 

A • A' • ícIa ® idy ®ac~ payc 

= ^ A • A' • id A ® \y)(y\ ®a c -pyp y A ® \y)(y\ ® P V C 
yey 

is nonnegative as well. This implies 

H mín (pAYcWc) > ~ log(A • A') = - log A - log A' 
from which the assertion follows by the definition of A and A'. □ 

3.1.4 Quantum operations can only increase min-entropy 

The min-entropy can only increase when applying quantum operations. Be- 
cause the partial trace is a quantum operation, this general statement also 
implies the first assertion of Lemma 13.1.71 (strong subadditivity). 

Lemma 3.1.12. Let p AB € V{H a ®Hb), cr B G V(H B ), à B < 6 V(H B >) and 
let£ be a CPM fromTÍA^Ti-B toTÍA>®'H B > such that id^/^àe' — £(\Úa®&b) 
is nonnegative. Then, for pa'B' '■= £{pab), 



Proof. Let A > such that —logA = -ff m in(pAs|c"s)) that is, the operator 
A • idA <8> Q- B — pab is nonnegative. Because £ is a quantum operation, the 
operator A • £ (ida cr B ) — £(pab) is also nonnegative. Combining this with 
the assumption that id^ <S> a B i — £ (idA ® cr B ) is nonnegative, we conclude 
that the operator 

A • id A ' <8> à B i — pa'B 1 

= \(id A > <8> à B > - £(id A <8> cr B )) + A • £(idA 8> cr B ) - Pa'B' 

is also nonnegative. The assertion then follows by the definition of the min- 
entropy. □ 

3.1.5 Min-entropy of superpositions 

Let {|x)} xg A' be an orthonormal basis on Tíxi let {\ip x )}x£X be a family of 
vectors on TÍ A <8> "H b <8> T~t e , and define 



H m i n (p A ' B '\à B i) > H min (pAB\o~B) ■ 





(3.4) 




(3.5) 
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Note that, if the states \tp x ) are orthogonal then pabex can be seen as the 
state resulting from an orthogonal measurement of pabe with respect to the 
projectors along \ip x ). While pabe is a superposítion (linear combination) of 
vectors \if) x ), pabe is a mixture of vectors \ip x ). The following lemma gives 
a lower bound on the min-entropy of pabe in terms of the min-entropy of 

PABE- 

Lemma 3.1.13. Let pabe a nd pabex be defined by (|3.4j) and IJ3.5JI . re- 

spectively, and let crg £ V(J~Íb)- Then 

HxavaiPAB^B) > HrarnipAB Wb) ~ Hm.ax.(f>x) ■ 

Proof. Assume without loss of generality that, for all x G X, \ip x ) is not the 
zero vector. This implies H max (px) = log\X\. Moreover, let A > such 
that — logA = H m \ n {pAB\^B)- It then suffices to show that the operator 

A • \X\ ■ id A <£>(Jb ~ PAB (3.6) 

is nonnegative. 

Let \9) € TLa <8> Hb- By linearity, we have 

(9\PA B \e) = (e\tr E M)me) = £ (e\tv E (\r)(r'\)\e) ■ (3.7) 

Let {|z)} 2g 2 be an orthonormal basis of TÍe and define \0,z) := \9) (g) 
Then, by the Cauchy-Schwartz inequality, for any x,x' £ X, 



|tr B (|^)(^'|)|0)| = \^2(e,z\r){r'\e,z)\ 




'(^It^d^X^DI^^ItrEd^')^'!)^) • 

Combining this with Q3.7|) and using Jensen's inequality, we find 

(o\ P AB\e)< Yl \J(o\tr E (\r)m)\o)(0\trE(\r')(r'\)\o) 




J2 (9\tT E (\r)(r\)\9)(9\trE(\^ x ')(r'\)\9) 

x,x'€X 

= \x\Y,{9\tr E (W){r\)\9) 

xex 

= \X\ ■ (9\pab\9) . 

By the choice of À, the operator A • id^ (g> a E — Pab is nonnegative. Hence 
{9\p~ab\9) < X(9\idA <8> cr E \9} and thus, by the above inequality, (9\pab\9) < 
A • \X\ • (0|id^ (8) ítb|#). Because this is true for any vector \0), we conclude 
that the operator defined by 1)3. 6j) is nonnegative. □ 
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Lemma 3.1.14. Let pabe, Pabex be defined by (j3.4j) and l|3.5|) . respec- 
tively, and let a B x G 'PÍTLb 'Si'Hx)- Then 

H 1Ií i n (pAB\o'B) > H m i n (p~ABx\°'Bx) ~ H max (px) ■ 

Proof. The assertion follows from Lemma [3.1.13l together with Lemma f3.1.7l 

□ 



3.2 Smooth min- and max-entropy 

The min-entropy and the max-entropy, as defined in the previous section, 
are discontinuous in the sense that a slight modification of the system's 
state might have a large impact on its entropy. To illustrate this, consider 
for example a classical random variable X on the set {0, . . . , n — 1} which 
takes the vàlues and 1 with probability almost one half, i.e., Px(0) = 
Pjr(l) = "4f> for some small e > 0, whereas the other vàlues have equal 
probabilities, i.e., Px{x) = for all x > 1. Then, by the definition of the 
max-entropy, H miíX (Px) = logn. On the other hand, if we slightly change 
the probability distribution Px to some probability distribution P x such 
that Px( x ) = 0, for all x > 1, then H max (Px) = 1. In particular, for n 
large, H mSLX (P x ) > H mSíX (Px), while \\P X - P x \\i < e. 

We will see later (cf. Section lïï^ïï)) that the max-entropy H ma _ x (Px) can 
be interpreted as the minimum number of bits needed to encode X in such 
a way that its value can be recovered from the encoding without errors. The 
above example is consistent with this interpretation. Indeed, while we need 
at least log n bits to store a value X distributed according to Px , one single 
bit is sufficient to store a value distributed according to Px- However, for 
most applications, we allow some small error probability. For example, we 
might want to encode X in such a way that its value can be recovered with 
probability 1 — e. Obviously, in this case, one single bit is sufficient to store 
X even if it is distributed according to Px- 

The example illustrates that, given some probability distribution Px, 
one might be interested in the maximum (or minimum) entropy of any dis- 
tribution Px which is close to Px- This idea is captured by the notion of 
smooth min- and max-entropy. 

3.2.1 Definition of smooth min- and max-entropy 

The definition of smooth min- and max-entropy is based on the "non- 
smooth" version ÍDefinition 13. 1 . 1 J) . 

Definition 3.2.1. Let p AB G V(H A ®Hb), cr B G V(H B ), and e > 0. The 
s-smooth min-entropy and the e-smooth max-entropy of pab relative to u B 
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are 

sup H min (p AB \(JB) 

PAB 

inf H max (pAB\o'B) , 

PAB 

where the supremum and infimum ranges over the set B 6 {pab) of all op- 
erators pab G V(J~Ía 8> Hb) such that \\pab — PAb\\i < te(pAs) • e and 
tr(pAB) < tr(p J 4fi)· 

Definition 3.2.2. Let G and let e > 0. The e-smooth 

min-entropy and the e-smooth max-entropy of pab given Tíb are 

#min(Mi?|£) == SUpiT^^Asks) 
o~B 

HL·ÀPAbIB) := sup H^ÍpabIo-b) , 

where the supremum ranges over all crg E V(H B ) with tr(cre) = 1. 

Note that, similar to the description in Section lH.H these definitions can 
be specialized to classical probability distributions. 

Evaluating the suprema and Ínfima 

Remark 3.2.3. If the Hilbert space TCa <8> 7~Cb has finite dimension, then 
the set of operators pab G B £ (TÍa &> Hb) as well as the set of operators 
o B E VÍTLb) with tr(as) = 1 is compact. Hence, the Ínfima and suprema in 
the above definitions can be replaced by minima and màxima, respectively. 

Remark 3.2.4. The supremum in the definition of the smooth min-entropy 
HiiúiS.PAb\o~b) (Definition I3.2.1|) can be restricted to the set of operators 
PAB G B 6 (pab) with supp(^Afi) Q supp(pA) <8> supp(cr B ). 

Additionally, to compute H^ ain (pABz\o~Bz) where pabz and o~bz are 
classical with respect to an orthonormal basis {|z)} ze _z on a subsystem TLz, 
it is sufficient to take the supremum over operators pabz G B £ (pabz) which 
are classical with respect to 

Similar ly, to compute H^^pxabWb) where pxAB is classical on a sub- 
system TLxi t ne supremum can be restricted to states pxAB G B £ (pxab) 
which are classical on Tíx- 

Proof. For the first statement, we show that any operator Pab G B s (pab) 
can be transformed to an operator £{pab) G B £ (pab) which has at least 
the same amount of min-entropy as pab and, additionally, has support on 
supp(pA) <8> supp(ctb). 

Let S be the operation on TÍa ^Ti-B defined by 

£(pab) ■= (p°a ® í<Íb)pab(pa ® ids) • 



H mm(PAB\0-B) ■ = 

HL·ÀPabWb) ■= 
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Because the operator id^ (g> crg — £ (icU (8) ctb) is nonnegative, Lemma 13. 1.121 
implies that the min-entropy can only increase under the action of £. More- 
over, supp(pab) Ç supp(p^) ®TLb (cf. Lemma fB.4.1|) and thus £(pab) = 
PAB- Because £ is a projection, the Li-distance cannot increase under the 
action of £ (cf. Lemma lA.2.1|) . i.e., 

||£(/OAb) - PAB^ = \\£{pAB ~ PAb)\^ < \\PAB ~ PAB^ < ^(pàb) ■ £ • 

We thus have pab G B £ (pab)- The assertion then follows because we 
can assume that supp(p ab) is contained in TÍa <8> supp(o"s) (otherwise, the 
min-entropy is arbitrarily negative and the statement is trivial) and thus 
supp(£ (pab)) Ç supp(pa) <8> supp(ctb). 

The statements for pabz and pxAB are proven similarly. □ 

Remark 3.2.5. Let pabz G VÇHa®'Hb®'Hz) be classical with respect to 
an orthonormal basis {|2)} z e.z of Tíz- Then the supremum in the defmition 
of the min-entropy B.^ ixí (pabz\BZ) can be restricted to operators obz G 
VÍTLb &> tíz) which are classical with respect to {|z)} 26 ^. 

Proof. We show that for any p'abz e B s (pabz) and a' BZ G VÍTLb <8> Wz) 
with tr(a' BZ ) = 1 there exists pabz G B £ (pabz) and cr^z G V(Hb <8> Wz) 
with tr(o"Bz) = 1 such that <tbz is classical with respect to {|z)} 2£ 2: and 

# min (PABZ \<?Bz) > H m i n (p' AB z \(j' B z ) . 

Let thus p'abz e B £ (pabz) and <j^ z G V(TLb ® Tíz) be fixed. Define 
Pabz := (idAB <8> £z) (p'abz) and ^sz := (ids ® £z)(<7 B z) where £z is the 
projective measurement operation on Tíz, i-e., 

£ z (p) :=J2\z}(z\p\z)(z\ ■ 

zez 

Note that asz is classical with respect to {|z)} 2g ^ and, because £z is 
trace-preserving, tr(a B z) = tr(°£z) = Similarly, tr(pABz) = ^(p'abz)- 
Moreover, because (idAB ®£z)(pabz) = Pabz and because the distance can 
only decrease when applying idAB ® £z (cf. Lemma rA,2.1|) . we have 

\\pABZ — PABZ ||l < \\PabZ ~ PABZ || 1 
which implies Pabz G B s (pabz)- Finally, using Lemma 13.1.121 we find 

H m m (pABZ Wbz) > H m in(PABZ \ a Bz) ' ^ 

3.2.2 Basic properties of smooth min-entropy 
Superadditivity 

The following is a generalization of (one direction of) Lemma f3.1.6l to smooth 
min-entropy. 
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Lemma 3.2.6. Let pab G V(Ha ® T~Íb), &b G V(Hb) and, simüarly, 
PA'B' G ® WbO, ct B ' G V(H B >), and let e,e' > 0. T/ten 

H^ tn (pab ® PA'b'Wb ® 0B') > H^ÍpabWb) + H^Ípa'b'Wb') ■ 

Proof. For any i/ > 0, there exist p^s G B £ (pab) and p^'B' G B £ '(pa>b') 
such that 

ífmin(PAB|o"s) > -f^min (PAbI^b) ~~ 17 

H m in [fi A'B'Wb') > H^^pa'b'Wb') - v . 
Hence, by Lemma fc.l.6| 

H min (pAB ® PA'b'Wb ® <tb>) > HL·uÍ.PabWb) + H^Ípa'b'Wb 1 ) - 2^ . 

Because this holds for any v > 0, it remains to verify that pab <S> PA'B' G 
B e+e {pab ® PA'B')- This is however a direct consequence of the triangle 
inequality, i.e., 

|| PAB ® PA'B' ~ PAB ® PA'B' Hi 

< tr(pA'B') • || PAB - PAB Hj + tr(pAB) • || PA'B' ~ PA'B'Hj 

< tr(pAB ® PA'B'){e + e') ■ 

□ 

Strong subadditivity 

The following statement is a generalization of Lemma 13.1.71 to smooth min- 
entropy. 

Lemma 3.2.7. Let pabc G V(H A ®H B ® H c ), a B c G V{H B <8> Hc), and 
let e > 0. Then 

HLmiPABcWBc) < -f^min (PAB W b) ■ 

Proof. For any v > 0, there exists Pabc* G B 6 (pabc) such that 

-ffmin (pABc|o"Bc) > -^min {.PABC \ &BC ) ~ v ■ 

Hence, by Lemma T3.1.7I applied to the operator pabc-, 

H m in (pAB Wb) > H min {pABc\o~Bc) ~ V ■ 

Because this holds for any v > 0, it remains to show that pab G B 6 {pab)- 
This is however a direct consequence of the fact that the Li-distance cannot 
increase when taking the partial trace (cf. Lemma lA.2.1|) . i.e., 

|| PAB - PAB ||l < llpABC - PABC || 1 < ^{PABc) " £ • 

□ 
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Conditioning on classical information 

The following lemma generalizes (one direction of) Lemma Il·l. 1.81 to smooth 
min-entropy. 

Lemma 3.2.8. Let p AB z G V{H A ®H B ® H z ) and a BZ G V(H B ® Hz) 
be classical with respect to an orthonormal basis {\z)} z ^z of TLz, let Pab 
and a B be the correspondíng (non-normalized) conditional operators, and 
lete>0. Then 

HL·ÀPABzWbz) > inf H^ in (p z AB \a B ) . 

z&Z 

Proof. For any v > and z G Z, there exists p AB G B 6 (p AB ) such that 

-ffmin^ABkS) > ^miní/'ABl '!) ~ ^ • 

Let 

PABZ ■= J2p Z AB ® |*}(*| • 

zez 

Using Lemma 13.1.81 we find 

H wSa .{pABz\<TBz) = H m i n (p AB \a z B ) > mï H^ in (p z AB \a z B ) - v . (3.8) 

z^Z z£Z 

Because this holds for any value of v > 0, it suffices to verify that pabz G 
B £ (pabz)- This is however a direct consequence of 

1 1 Pabz ~ Pabz \ \ i = ^2\\pab ~ PabWx < J^^ÍPab) • e = ^ÍPabz) • £ , 

z£Z zGZ 
where the first equality follows from Lemma lA. 2. 21 □ 



3.2.3 Chain rules for smooth min-entropy 

The following lemma generalizes (one direction of) Lemma l·i.l.lOl to smooth 
min-entropy. 

Lemma 3.2.9. Let p A BC G V{H A ® U B ® He), o c G V(H C ), let a B G 
P"(7~Íb) be the fully mixed state on the support of p B , and let e > 0. Then 

H mm(PABcWc) < H^ in (p ABC \a B <8> <7 C ) + H m£íX (p B ) . 

Proof. According to Remark l<3.2.4| for any v > 0, there exists pABC £ 
B £ (pabc) such that 

H mín (pABc\o-c) > HLmiPABcWc) ~ V (3-9) 

and supp(pABc) Q supp(pab) &> Ho = supp(pAB <8> ide)- Hence, from 
Lemma lB.4.21 supp(/9e) Q supp(p B ). Consequently, the operator p B is 
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arbitrarily close to an operator whose support is equal to the support oi ps- 
By continuity, we can thus assume without loss of generality that supp(ps) = 
supp(ps), that is, 

-ffmax(PB) = H mSQÍ {p B ) . (3.10) 
Moreover, since pabc £ $ £ {pabc)-, we have 

HLinÍPABcWB <8> crc) > H mín {p ABC \o B <8> cr c ) • (3.11) 

Finally, because ob is the fully mixed state on supp(p^) = supp(/9e), 
Lemma T3. 1.10) applied to the state pabc-, gives 

HminiPABcWc) = H min (p~ABc\cB ® 0~c) + H m£aí (p B ) ■ 

Combining this with (|3.9|) . I)3.1()|) . and 1)3. 11|) concludes the proof. □ 
Data processing 

The following lemma is a generalization of Lemma 13.1.111 to smooth min- 
entropy. 

Lemma 3.2.10. Let payc £ VÍJ~La®T~(-y ®7~Cc) be classical with respect to 
an orthonormal basis {\y)}yey ofTíy such that the correspondíng condítíonal 
operators p v AC , for any y £ y, have product form, let oq £ ViTLc), and let 
e > 0. Then 

HL·APAYcWc) > HLm(PYc\o-c) + H min (pAY\PY) ■ 

Proof. For any y G y, let p y := tv(p y AC ) and define p v A := ^-p\- Because 
p v AC has product form, we have 

PAYC = s ^p v a® \y) (y\ ® Pe ■ 

According to Remar k 13.2.41 for any v > 0, there exists a nonnegative oper- 
ator pyc £ B £ (pyc) such that 

H mhl (pYc\0-c) > HLiniPYcWc) ~ V (3.12) 

where pyc is classical with respect to {\y)} y çy, that is, pyc = Yly^y \y){y\® 
p y c , for some family {pç^yçy of conditional operators on Tic- Let payc S 
V(Ha ®Hy® He) be defined by 

payc ■= Yl p v a ® \v) (y\ ® Pc ■ 

yey 



CHAPTER 3. (SMOOTH) MIN- AND MAX-ENTROPY 49 

Because the operators p v A are normalized, we have 

\\pAYC -PAYC\\ X = Y1\\PA® PC ~ PA® Pc\\l 

y 

= Yl\\Po-Pc\\i 

y 

= \\p~YC - PYc\\ l , 

where the first and the last equality follow from Lemma IA.2.21 Because 
Pyc ^ B £ {pyc): this implies payc S B £ (payc) an d thus 

H L·n(PAYcWc) > H min (p A YcWc) • (3-13) 

Moreover, using Lemma f3. 1.81 and the fact that, for any y £ y, the operators 
p y A and p \ only differ by a factor p y , we have 

H min {pAY\PY) = inf H mïrí (p y A \tT(p y A )) 

y&y 

= mïH min (p A \tv(p A )) (3.14) 

y^y 

= H min (pAY\PY) ■ 
Finally applying Lemma 13. l.lll to the state payc gives 

H V0 ia(pAYC\o'c) > H mín (pYC \°~c) + H min (pAY\pY) ■ 
Combining this with (J3.12|) . H3.13j) . and Q3.14|) concludes the proof. □ 



3.2.4 Smooth min-entropy of superpositions 

The following statement generalizes Lemma 13.1.141 

Lemma 3.2.11. Let pabe, Pabex be defined by (|3.4j) and (|3.5j) . respec- 
tively, for mutually orthogonal vectors \ip x ), let obx 6 'PÍTLb &> Ti-x), an d 
lete>0. Then 

Hmin(PAB\o~B) > (p~ABX \ 0~BX ) ~ H max (px) , 

where è = gfer . 

Proof. By Remark 13.2.41 for any v > 0, there exists an operator pABX £ 
B £ {pabx) which is classical with respect to the basis {|a:)}x6Aí such that 

HminipABxWBx) > H £ nïrí (p A Bx\o Bx) ~ V . (3.15) 

Let {Pab)x<íX be the family of conditional operators defined by pabx 
and {\x)} xeX , i-e., Pabx = Yjxax Pab ® \ x )_( x \- According to LemmaETTl 
for any x G X, there exists a purification \'ip x }('ip x \ of p AB such that 

wm- mw <\I\\pab-p x ab\\i- 
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Let := 'Ylx&x \^ x ) an d define pabe '■= 10) (01- By the triangle inequality, 
we find 



< EIH^) - 1^)11 <Y.Apab-P x ab\\ x - 



x£X xÇX 
Hence, with Jensen's inequality, 



< J*iEfe-^ulli 

V x^X 



X\ ' \\PABX — PABX^ 



where the equality follows from Lemma IA.2.21 Because the vectors \ip x ) 
are orthogonal, we have ít(pabx) = ^(pab)- Consequently, since pabx £ 
B £ (p~ABx), we obtain 



|| IV) " 10) || < #| ■è-ti{p ABX ) = ^/\X\-è-ti{p AB ) . (3.16) 

Assume without loss of generality that \X\ ■ i < | (otherwise, the asser- 
tion is trivial). Then, because y/tr(pAB) = 111*0)11; w e have 

+ II Mil < 2|||^)|| + 



< 2y / tr(pAB) + \j q^ÍPAb) < a/6 tr (pas) • 



and thus, by Lemma lA. 2. 51 



\\pab ~ PAB^ < \/6tr(/9AB) • 111-0) - 10)11 < tr(pAB) ■ e , 
where the last inequality follows from (|3,16|) , This implies 

HL·ÀPAb^b) > H min (p AB \(TB) ■ (3-17) 

Note that pabx can be seen as the operator obtained by taking the 
partial trace of 

Pabex ■= E \Ï ,X )$ X \ ® l x )( x l • 

We can thus apply Lemma [S. 1.141 to the operators pabe and pabex-, which 
gives 

H m i n (pAB\(rB) > -f^mm(^ASxkBx) — H maiX (p~x) ■ 

Finally, because the support of px is contained in the support of px, we 
have H max (p x ) < H max (px) and thus 

H m i n (pABWB) > H min (p~ABx\(TBx) ~ H maiX (p~x) ■ 

Combining this with (J'3.17|) and (|3.15|) concludes the proof. □ 
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3.2.5 Smooth min-entropy calculus 

The properties proven so far are formulated in terms of the smooth min- 
entropy H(pabWb) relative to an operator ob (Defmition l3.2.1j) . The follow- 
ing theorem translates these statements to conditional smooth min-entropy 
H( PAB \B) (Definitian EZ2> . 

Theorem 3.2.12. Let e, s' > 0. Then the following inequalitíes hold: 

• ( Súper- )addítívíty: 

H£ An(PAB ® PA>B>\BB') > H £ miIl ( P AB\B) + H< a {PA>B>\&) , (3.18) 

for pab e V(Ha ® T~Lb) and p A <B> 6 V(Ha' ® Hb')- 

• Strong subadditivíty: 

H £ min ( P ABc\BC) < H £ min (p AB \B) , (3.19) 
for pabc e V(H A ®H b ® H C ). 

• Condítíoning on classical information: 

H £ min ( P ABz\BZ) > mï H £ min (p AB \B) , (3.20) 

for pabz £ VÍ^Ha <8> 'Hb <8> Hz) normalízed and classical on Tíz, and 
for normalízed conditional operators p\ B - 

• Chain rule: 

H £ min (pABc\C) < H e mïn { P ABc\BC) + H max (p B ) , (3.21) 
for pabc G V(H A H C ). 

• Data processing: 

H £ min (pAYc\C) > H £ min ( PYC \C) + H min (p AY \PY) , (3.22) 

for payc 6 V{TÍA®7~i-Y®1~tc) classical onTÍY such that the conditional 
operators p y AC have product form. 

Proof. The statements follow immediately from Lemmata l3.2.f)| l3.2.7| lïï~2.<Sl 

MM and rmni □ 

3.3 Smooth min- and max-entropy of products 

In this section, we show that the smooth min- and max-entropies of product 
states are asymptotically equal to the von Neumann entropy. In a first step, 
we consider a purely classical situation, i.e., we prové that the smooth min- 
and max-entropies of a sequence of independent and identically distributed 
random variables can be expressed in terms of Shannon entropy (which is 
the classical analogue of the von Neumann entropy). Then, in a second step, 
we generalize this statement to quantum states (Section l3.3.2|) . 
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3.3.1 The classical case 

The proof of the main result of this section (Theorem I3.3.4J) is based on 
a Chernoff style bound (Theorem I3.3.3|) which is actually a variant of the 
asymptotic equipartition property (AEP) known from information theory 
(see, e.g., |CT91j ), It states that, with high probability, the negative loga- 
rithm of the probability of an ra-tuple of vàlues chosen according to a product 
distribution P n is close to the Shannon entropy of P n . 



Typical sequences and their probabilities 



Lemma 3.3.1. Let Pxy £ V{X x J) be a probability distribution. Then, 
for anyteR with \t\ < i og( |^| +3) , 

]ogE[P x \ Y (x,y)- t ] <W(X\Y) + ~t 2 log(\X\+3f , 

x,y 1 z 

where the expectation is taken over pairs (x,y) chosen according to Pxy- 

Proof. For any í £ M, let rt be the function on the open interval (0, oo) 
defined by 

r t {z) :=z*-ílnz-l . (3.23) 

We will use several properties of this function proven in Appendix lB.61 

For any x £ X and y S y, let p x>y := Px\yÍ x > v)- ^ Px,y > then 

Px? y = + t ln— + 1 < r t (— + 3) + t ln — + 1 , 

Px,y Px,y Px,y Px,y 

where the inequality holds because rt is monotonically increasing on the 
interval íl.oo) ÍLemma IB, 6. II) and — = Py [^ > l. Because — — h 3 € 

Px,y ^XY\ x ,y) Px,y 

[4, oo) and because rt is concave on this interval (Lemma IB.6.31 which can 
be applied because t 6 [— |, |]), Jensen's inequality leads to 



E[p. 

x,y L 



1 



r t { +3) 

x,yl x p x ^ y 



+ t E 



ln 



^ L Px,y 



< n 



(«[— 

^ x >V Px,y 



+ 3] ) +í(ln2) E 



log 



+ 1 
1 



+ 1 



where K x y [-] denotes the expectation with respect to (x, y) chosen according 



Py(y) 



to the distribution P X y ■ Because E x>y [^-] = Yj X)V Pxy(x, v) p xy ( XíV ) 
and E^Jlog -M = H(X\Y), we obtain ' 

,y Px,y J 

E < rt(|AT| + 3) + í(ln2)ff(X|F) + 1 . 



\X\ 



x,y L 



Furthermore, because Ioga < — 1) 



^K',] < ^r t (\X\+3)+tH(X\Y) . 
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Finally, together with Lemma [B. 6. 41 since |í| < log ^| +3 ^ , we conclude 
Iog x E[p-*] < (^-l)í 2 log(|*|+3) 2 + ítf(X|Y) . 

The assertion follows because — 1 < \ . □ 

Lemma 3.3.2. Let Pxy £ V(X x y) be a probability distríbution and let 7 
be the functíon on X x y defined by 

7 (x, y) := - log P x]Y (x, y) - H(X\Y) . 
Then, for any i £ M with \t\ < i og (|^-| + 3) > 

E r 2 Í7(2,2/)l < 2 è* 2 l°g(l^l+3) 2 _ 

Proof. The assertion follows directly from Lemma 13.3.11 that is, 

E [2^)1 = 2~ tH ^ E iPxiY&yT*} 
x,y L J %,y 

< 2 -tH(X\Y) . 2 ííí(X|y)+|í 2 log(|A'|+3) 2 _ q 



Theorem 3.3.3. Let Pxy S V{X x y) be a probability distríbution and 
let n € N. Then, for any 5 £ [0, log and (x, y) chosen according to 
P X n Y n := (Pxy) n , 

w5 2 

Prr-logP X n,yn(x,y) > n(H(X\Y) + 5)] <2 ^a?ïT5F , 
and, similarly, 



Prr-logP X n,yn(x,y) < n(H(X\Y) - 6)} <2 ^MW^ . 

Proof. Let x = (xi, . . . ,x n ), y = (yi, . . . , y n ), and let 7 be the function 
defined in Lemma 13.3.21 for the probability distribution Pxy- Then 

n 

Y^l^úVi) = -logP x »|y»(x,y)-nff(X|Y) . (3.24) 
í=i 

Using Markov's inequality, for any t > 0, 



PrrV 7 (x í ,y i ) > nó] = Pr I^EfeiTÍ**.») > 2 ín<5 l 

v.v — ^ J x,y 



x,y L ^— ' x.y 1 

ï=1 (3.25) 



— 2 íri< 5 
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Moreover, because the pairs (xi,yi) are chosen independently, 

n 

E [2*££=i 7(^*4)1 = ]g rTT 2*7(^.2/4)1 

x,y L x,y L J-J- 

n 

= TT E ["2*7(^.^)1 

1=1 

< ( 2 §í 2 log(|*|+3) 2 )n 



where the inequality follows from Lemma I3.3.2| for any |í| < ^gTj^rp^ ■ 
Combining this with (|3.25f) gives 



} ±nt 2 log(|Ar|+3) 2 -tn(5 

x,y 



Pr[^ 7 (x i ,y i ) >twS] < 22" 
x ' y i=l 

With í := log (|^| +3 )2 (note that t < log (|^| +3 ) because 5 < log\X\), we 
conclude 

A ng2 
Pr f> l(xi,yi) > nS] < 2 21 °g(i*i+ 3 ) 2 . 

x.v L ii— ' J 



The first inequality of the lemma then follows from (|3.24[) . 
Similar ly, if t < 0, 



PríV^.i/i) < -níl = p r [2 í S?=i7(^,2/i) > 2 ' 

v.v -i x.y 

E Xiy [2*sr=i7(^*)] 



tnS~\ 



*,y x,y 



— 2 — * n< 5 

and thus 



Pr[V l(x h yi) < -nó] < 2 è™* 2l °g(l^l+3) 2 +*-^ 
x .y — ' 



i=l 

The second inequality follows with t := — iog(|^|+3)^ • ^ 



Asymptotic equality of smooth entropy and Shannon entropy 

Theorem 3.3.4. Let Pxy £ V{X x y) be a probabílíty distríbution and let 
ííéN. Then, for any e > and Px«Y n '■= {Pxy) 11 , 

-H^(P X n Yn \P Yn ) < H(X\Y) + 6 
n 

^H £ min (P X n Y n\PYn) > H(X\Y) - 6 , 



where 5 := logd^j + 3) 



21og(l/e) 
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Proof. We first prové the bound on the (classical) smooth max-entropy 
H L·aÀ P X n Y n \ p Y n )· For any y G y n with Pyn(j) > 0, let X y be the set 
of all n-tuples x G <Y n such that 

-logP X n| y „(x,y) <n(H(X\Y) + 6) . 

Furthermore, let be the nonnegative function on X n x y n defined by 

d i \ í- F W»( x »y) ifxG^y 
Py n y„(x,y) = < . (3.26) 

I U otnerwise. 

We can assume without loss of generality that 5 < log | | (otherwise, 
the statement is trivial). Hence, by the first inequality of Theorem I3.3.3| 
Pr Xi y[x ^ X y ] < e. This implies ||-Px n y™ — ^*x" n ? n lli — £ an d thus 

Hma,x(Px n Y n \PY n ) < H max (Px'nyn |ÍV») • (3.27) 

For any fixed y := (yi, . . . , y n ) € ^ n with Pyn(y) > 0, 

1> En^l^^)>l^y|2-^ (X|y)+5) , 
xe# y i=l 

where the second inequality follows from the definition of the set X y . Conse- 
quently, we have \X y \ < 2 n ( H ( x \ Y ^ + ^ . Moreover, by the definition of P^ny-n, 
the support of the function x i— > Pjjnyn(x,y) is contained in Hence, 
using Remark 13.1.41 

#maxGFWn|Pyn) < log( ^ P Y<y) ' l*yl) < n(tf (X|y) + 5) . 

Combining this with Q3.27JI proves the first inequality of the lemma. 

To prové the bound on the min-entropy H^ ún (Px^Y n \PY n ), let X y , for 
any y G y n with Py*. (y) > 0, be the set of n-tuples x G X n such that 

-logP X n ]Yn (x,y)>n(H(X\Y)-6) , 

and let be defined by Ij3.26j) . By the second inequality of The- 

orem 12331 Pr Xj y[x ^ X y ] < e, which, similarly to the previous argument, 
implies 

H^à n {Px n Y n \PY n ) > Hmin{Px n Y n \PY n ) ■ (3.28) 
Moreover, using E,emark l3.1.4l 

ZJ ÍT> In \ i íjnyn (x, y) 

tí m i n ( P X n Y n \PY n ) = — log max max 



yesupp(Pyn) xe*™ Pyn (y) 
Px-«y»(x,y) 

= — log max max — — 

>n{H(X\Y)-S) , 
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where the inequality follows from the definition of the set X y . Combining 
this with ((3~28|) proves the second inequality of the lemma. □ 

Because the min-entropy H m { n (Px n Y n \Py n ) cannot be larger than the 
max-entropy H max (P x ™Y n \PY n ) (cf. Lemma 13. 1.5(1 . Theorem 13.3.41 implies 
that 

-H £ min (P X n Y n\Py n ) » -H^PxnYnlPyn) « -H(X n \Y n ) , (3.29) 

n n n 

where asymptotically for increasing re, the approximation becomes an equal- 
ity. 

Remark 3.3.5. It is easy to see that Theorem 13.3.41 can be generalized 
to probability distributions Px*Y n which are the product of not necessar- 
ily identical distributions PxíYí- That is, for any distribution of the form 
P X nY n = niLi PxíYí-, the approximation ((3.29(1 still holds. 



3.3.2 The quantum case 

The following theorem and its corollary can be seen as a quantum version 
of Theorem 13.3.41 for smooth min-entropy (where the Shannon entropy is 
replaced by the von Neumann entropy). The proof essentially follows the 
same line as the classical argument described above. 7 A similar argument 
shows that the statement also holds for smooth max-entropy. 

Theorem 3.3.6. Let pab S V(Ha®'Hb), o~b £ V(T~Íb) be density operators, 
and let re E N. Then, for any e > 0, 

^H^ÍpTbWT) > H(pab) - H{ PB ) - D{p B \\a B ) - 5 , 

where 5 := 21og(rank(/> A ) + tr(^ B (id^ c^ 1 )) + 2) y^SÜM + i. 

Proof. Define H(pab\o~b) '■= H(pab) — H(ps) — D(pb\\o~b)· We show that 
there exists a density operator pA n B n & ^(p'ab) sucn that 

fímin(P4»B«k| n ) > nH(pAB\o-B) - n5 . (3.30) 

According to the definition of min-entropy, this is equivalent to saying that 
the operator A • (id^ ® ctb)®" — pA n B n is nonnegative, for A > such that 
-log A = nH(pAB\o-B) ~ n5. 

7 An alternative method to prové the statement —H^ nin (p^ j \p^ n ) 2, H(pab) — H(pb) is 
to use a chain rule of the form H^ in (p%\p% n ) > H^J{p%) - H^JpT)- Th e entropies 
on the right hand side of this inequality can be rewritten as the entropies of the classical 
probability distributions defined by the eigenvalues of and p% n , respectively. The 
desired bound then follows from the classical Theorem l·i.8.41 However, the results obtained 
with such an alternative method are less tight and less general than Theorem 13. 'A. 61 
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Let 

(ïd A ®a B f n = ]T q z \z)(z\ 
zez n 

be a spectral decomposition of (icU <8> ctb) 8 ". We can assume without loss 
of generality that there exists an order relation on the vàlues Z n such that 
Qz > Qz', for any z > z'. For any z £ Z, let B z be the projector defined by 

B z : = 

z': z'>z 

Moreover, let /3 Z , for z G iJ", be nonnegative coeficients such that, for any 
z' G 2", 

E ^ z = • 

z: z<z' 

Note that the spectral decomposition above can then be rewritten as 

(id A a B )® n = • ( 3 - 31 ) 

zez n 

Let 

pTb = E ^i x >< x i 

be a spectral decomposition of In the following, we denote by oo an 

element which is larger than any element of Z n . Moreover, let p XjZ , for 
x G X n and z G i? n U {oo}, be nonnegative coeficients such that, for any 
z' G Z n , 

y~] Px,z = min(p x , Xq x >) 

z: z<z' 

E ^ x > z = P* ■ 
z62"U{oo} 

We show that inequality l)3.30j) holds for the operator 

p AnBn := ^ ^ p XiZ B z |x)(x|5 z . 

xgA'' 1 ze2 n 

Note first that, by the definition of p XjZ and (3 Z , we have j? XjZ < À/? z , for 
any x G X n and z G ií n , that is, the operator 

^ X(3 Z B Z B Z - pa^B" = E E ~í'x,z)-Bz|x)(x|S z 

zS-Z™ z£2 n xeA' n 

is nonnegative. Using (|3.31l) and the fact that the operators £? z are projec- 
tors, we conclude that the operator 

A • (id^ ® o B )® n - PA n B n = E ^ z ^ z ~ P^B" 

ze2" 
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is nonnegative, which implies ()3.30|) . It thus remains to be proven that 

Using the above definitions and the convention that is the zero ma- 
trix, we have 

II/^b-P^HIi = II X E Px,z(|x)(x| - J B z |x)(x|S z )|| 1 

xe*™ ze^"u{oo} 

< E E Px,z|||x)(x| - -B z |x)(x| J B z || 1 . 
*ex n ze2™u{oo} 

We can use Lemma lA.2.8l to bound the trace distance on the right hand side 
of this inequality, that is, 

|||x)(x| - S z |x)(x|5 z || 1 < 2Vl-tr(£ z |x)(x|£ B ) . 

Because pab is a density operator, the nonnegative coefhcients p^ íZ sum up 
to one. We can thus apply Jensen's inequality which gives 

\\p%-pAnBn\\ 1 <2 E PWl-t*(Bz|x)(x|£ z ) 

xe*™ z g^«u{oo} 

< 2 ÍY, E Px,z(l-tr(B z |x)(x|S z )) (3-32) 

y xe*™ ze^ n u{oo} 

= 2\/l - tr(pA"S™) • 
The trace in the square root can be rewritten as 

tr(pA™B™) = E^'^E X Px,z-Bz|x)(x|ff z )|z') 

z'e.z n xe* n ze-Z™ 

= E E E ^zi(z'ix)! 2 • 

z'e.Z"z:z<z' xe*™ 

Because the terms in the sum are all nonnegative, the sum can only be- 
come smaller if we restrict the set of vàlues x over which the sum is taken. 
Consequently, 

tr(pA»B») > E E K z 'l x )| 2 E Px > z • 

z'G2" x:p x <A5 z / z:z<z' 

By the definition of p x ,z> we have ^ z -z<z' P*,* = Px, for any (x, z') such that 
Px < Ag z /, and hence 

tr(pA«s«) > E PxKz'lx)! 2 • 

(x.z'):p x <A<j z / 

Because ^ z x p x |(z|x)| 2 = 1, this inequality can be rewritten as 
l-tr(p AnB n)< E Px|(z|x)| 2 

(x,z):p x >Aç z 
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Recali that we need to prové that pA n B n £ B £ (Pab)- Hence, combin- 
(pQ2|) with the ab ove bound on tr(pA"B n ), h remains to be shown that 

£ p x |(z|x)| 2 <(|) 2 . (3.33) 

(x,z):p x >Ag z 

Let 

and 

PAB = X \px\x){x\ 

be spectral decompositions of id^ <8>c.b and pab ; respectively. Moreover, let 
Pjcz be the probability distribution defined by 

P x2 (x,z) := p x \(z\x)\ 2 . 

Note that |x) and p x , as used above, can be defined as |x) := (££)™ =1 \xí) 
and p x = P( xu ... jXn ) ■= UL·iPxí- Similarly, we can set \z) := (g )" =1 \zj) 
and q z = qr Zll ... tZn ) := EH^i^zí- Then, the left hand side of (|3.33|) can be 
rewritten as 

V Px|(z|x)| 2 = Pr[p x > \q x ] 

* — » x,z 

(x,z): px>Aç z 

= Pr [- log p x + log g z < - log A] 



x,z 



(3.34) 



Pr y ~ io g^i + io § < - iog a 

x,z |> ' 

i=l 



for (x, z) chosen according to the probability distribution (Pxz) n - 
By the definition of H(pab\&b), we have 

H(p A b\(Tb) = -ti(pAB log Pab) + tr(pAB logid^ (g> o^) 
= y^K^)| 2 (log^ - log—) 

= Ej-logps + log<7 2 ] , 

x,z 

for (x,y) chosen according to Pxy- According to Birkhoff's theorem (cf. 
Theorem lB.2.2|l there exist nonnegative coefficients p n parameterized by the 
bijections tt from X to Z such that P-k = 1 and |(z|x)| 2 = p-K^^^y 
The identity above can thus be rewritten as 

h(pabWb) = y^xi^ix)! 2 ^^ = yv^y^iog^r^ . (3.35) 

TÍ Pz „ * Px 
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For (x,z) chosen according to Pxy, 



-f 



For any íEl, let v± be the function defined by (|3.23j) . The last term in the 
sum above can then be bounded by 

«. ^' í - r . í f^)U í l n ^í) + l 



<r |í| f^H + ^ + 2Uíln^ + l 

where the inequality follows from the fact that, for all z > 0, rt(z) < 
r l*K z ï) (Lemma IB.6.2|) and the fact that is monotonically increasing 
(Lemma IB. 6. 1|) on the interval [1, oo). Because -^i + + 2 G [4, oo) and 

because rt is concave on this interval (Lemma IB. 6. 3|) we can apply Jensen's 
inequality, which gives 

E [2-*0<*fr-***>] < + ^ + 2 

+ í(ln 2) V M7r Vfe log ^P- + 1 . (3.36) 

Note that ^ s í/j = tr(idyi (giag) = dim(H^). As we can assume without loss 
of generality that TLa is restricted to the support of pa, we have 

E ^ E = Tank ÍPA) ■ 

■n x 

Moreover, 

-2 



Hence, together with í)3.35j) . the bound (|3.36|) can be rewritten as 

E [a-toogfe-iog?,)] < ( + 2) + í(ln 2)jff (^ B | aB ) + 1 

2,2 1 1 

where 7 := rank(p^) + tr(/9^ B (id J 4(g><7£ 1 )) . Furthermore, using the fact that 
Ioga < 5^2(0 — 1) we find 

g j2~ í ( lo sfe- lo sfe)] < 2 1 °s( r |í|(7+ 2 )+ í ( ln2 )iï(p AS |(T B )+i) 

x,z ~ 

< 2ïh r \t\(·y+2)+tH(pABW B ) _ 



CHAPTER 3. (SMOOTH) MIN- AND MAX-ENTROPY 



61 



With Lemma lROl we conclude 

£ r2í(-logfe+log?í--H"(pAB|o- s ))i < 2(et2-i)í 2 iog(7+2) 2 < 23 í2l °g(')'+ 2 ) 2 . (3.37) 

Let now w(x,z) := X^i=i( _ lo gP^ + l°g<72i - Because the 

expectation of the product of independent vàlues is equal to the product 
of the expectation of these vàlues, we have, for (x, z) chosen according to 

(%)", 

jg |2Íw(x,z)j _ jg j2*(~ lo gPs+loggz--ff(p AB |(T B ))jrt 

X,Z Z,2 

Hence, by Markov's inequality, for any t < 0, 

PrKx,z) < -n<51 = Pr[2 íw ( x > z ) > 2- ín<5 ] 

x,z x,z 

E x ,z[2 íu ' {x · z) ] 



< 



2— ín<5 



2—tnS 

and thus, using (|3.37|) . 

PrKx,z) < -nS] < 2è í2 " 1 °g(T+2) 2 +ír í <5 



Consequently, with í := - log ( 7+2) 2 , 



Pr[V] - logp^ + logçr^ < nH{p AB \o- B ) - nS] 
1=1 

— n ^ 2 / £" 

< Pr [w(x, z) < -nS] < 2 21 °s(^+ 2 ) 2 < ( - 

X,Z \ 2 

Combining this with (J3.34|) implies ()3.33j) and thus concludes the proof. □ 

The following corollary specializes Theorem 13.3.61 to the case where the 
first part of the state pab = Pxb is classical and where a B = PB- 

Corollary 3.3.7. Let pxb £ VÍJÍ.X ® Wb) be a density operator which is 
classical on fix- Then, for any e > 0, 

i^>f n B \p% n ) > H(pxb) - H( PB ) - 6 , 



where 5 := {2H max {px) + 3) + 1 
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Proof. Assume without loss of generality that ps is invertible (the general 
statement then follows by continuity). Because the operator 

idx ® PB- Pxb = ^ idx ® p| - \x){x\ ® p% 
is nonnegative, we can apply Lemma IB . 5 ,41 which gives 

Amax(PxB( Íd * ® Pb)Pxb) ^ 1 • 

Hence, since pxb is normalized, 

tr (Pxi?(idx ® Pb 1 )) = ^{pxBPxl(id x ® Pb^Pxb) ^ 1 ■ 
Using the fact that, for any a > 2, log(a + 3) < Ioga + |, we thus have 

log(rank(p x ) + tr(p 2 XB {id x ® ff^ 1 )) + 2) < log(rank(p x ) + 3) 

3 

< logrank(px) + 2 
3 

= H m3X {p x ) + - . 

The assertion then follows directly from Theorem 13.3.61 with pab '■= Pxb 
and CTg := ps- □ 



Chapter 4 

Symmetric States 



The state of an n-partite quantum system is said to be symmetric or per- 
mutation-invariant if it is unchanged under reordering of the subsystems. 
Such states have nice properties which are actually very similar to those of 
product states. 

The chapter is organized as follows: We first review some bàsic properties 
of symmetric subspaces of product spaces í Section 14. 1[) and show that any 
permutation-invariant density operator has a purification in such a space 
(Section [O). Next, we state our main result on the structure of symmet- 
ric states, which generalizes the so-called de Finetti reprès entatíon theorem 
(Section 14.3)1 . Based on this result, we derive expressions for the smooth 
min-entropy (Section 14.4)1 and the measurement statistics (Section 14.5)) of 
symmetric states. 

4.1 Definition and bàsic properties 
4.1.1 Symmetric subspace of Tí® n 

Let Tí be a Hilbert space and let S n be the set of permutations on {1, . . . , n}. 
For any ir S S n , we denote by the same letter tt the unitary operation on 
7i® n which permutes the n subsystems, that is, 

tt(|0i> ® • • • ® \9 n )) := l^-ip)) ® • • • ® |0 w -i (n) ) , 

for any |6>i), . . . , \6 n ) £ Tí. 

Definition 4.1.1. Let Tí be a Hilbert space and let n > 0. The symmetric 
subspace Sym(TÍ® n ) ofH® n is the subspace of 7í® n spanned by all vectors 
which are invariant under permutations of the subsystems, that is, 



Sym(H® n ) := G Tt 
Remark 4.1.2. For any n',n" > 0, 



: 7r|$) = |^)} . 



Sym(H 



) Ç Sym(^ n ')®Sym(7í® n ") . 
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Lemma 14. 1 .31 below provides an alternative characterization of the sym- 
metric subspace Sym('H® n ). 

Lemma 4.1.3. Let Tí be a Hilbert space and let n > 0. Then 

Sym(?í 0n ) = span{|0) 0n : \6) G H) . 

Proof. For a proof of this statement, we refer to the Standard literature on 
symmetric functions or representation theory (see, e.g., jWGOOj ) . □ 

A basis of the symmetric subspace 

Let x = (x%, . . . ,x n ) be an ra-tuple of elements from X. The frequency 
distríbution À x of x is the probability distribution on X defined by the 
relative number of occurrences of each symbol, that is, 

K{x) ■= -\{i : Xi = x}\ , 

for any x G X. In the following, we denote by the set of frequency 
distributions of n-tuples on X, also called types with denominator n on X . 
Moreover, for any type Q G Q^, we denote by A„ the corresponding type 
class, i.e., the set of all n-tuples x = (x±, . . . , x n ) with frequency distribution 
A x = Q- 

Let {|x)} x6 a' be an orthonormal basis of Ji. For any Q G , we define 
the vector \G Q ) on Sym(?í® n ) by 

\QQ):=—L= \x n ) , (4-1) 

VI A «I On,...,x„)eA? 

where, according to Lemma í)B.1.2j) . |A^| = p ] (nQ(x))l • 

The vectors |G^), for Q G , are mutually orthogonal and normalized. 
We will see below (cf. Lemma T4, 1.5(1 that the family {|G }}q^qx is a basis 
of Sym(?í® n ). In particular, if 7i has dimension d, then dim(Sym(7í® íl )) = 
= ( C f. Lemma lEXTt . 

4.1.2 Symmetric subspace along product states 

Let H be a Hilbert space, let \9) G TC be fixed, and let < m < n. We 
denote by V(H m , |6*) 0m ) the set of vectors \^} G H® n which, after some 
reordering of the subsystems, are of the form |#)® m <g) |xJ/) ; that is, 

V(H® n , \9}® m ) := {7r(|0)® m <g> |*>) :fG5 n , |§) G ft®""" 1 } . (4.2) 

We will be interested in the subspace of Sym(?í® n ) which only consists 
of linear combinations of vectors from V(7í® n , |#)® m ). 
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Definition 4.1.4. Let Ti be a Hilbert space, let |0) G H, and let < m < n. 

The symmetric subspace Sym(H® n , \9)® m ) ofH® n along \9)® m is 

Sym(W 0n , |#)® m ) := Sym(?í 0n ) D span V(W® n , |0) 0m ) , 
where V(7í® n , |(9)® m ) denotes the subset of H® n defined by (Hg) . 

Note that Sym(?í® n , |6») 0m ) Ç Sym(W® n ), where equality holds if m = 0. 
In Section 14.41 and 14.51 we shall see that, if r := n — m is small compared 
to n, then the states in Sym(7í® n , |#)® m ) have similar properties as product 
states \9}® n . 

Lemma 4.1.5. Let Tl be a Hilbert space with orthonormal basis {\x)} x ex, 
let \9) := \x) for some x G X , and let < m < n. Then the family 

®--={\® Q )}QeQ*:Q(ï)>f 

of vectors \Q®} defined by (|4.1|) is an orthonormal basis o/Sym(7í® n , \9}® m ). 

Note that, for m = 0, Lemma 14. 1 .51 implies that the family {\@®}}q£qx 
is an orthonormal basis of Sym(7i.® n ). 

Proof. For any Q G Qni the vector \Q®) is invariant under permutations of 
the subsystems, that is, \Q Q ) G Sym(W® n ). Moreover, i£Q(x) > ^ then the 
sum on the right hand side of (|4.1j) only runs over n-tuples which contain 
at least m symbols x, that is, each term of the sum is contained in the 
set V(H® n , \9}® m ) defined by fOJ) and hence \& Q ) G spanV(W 0n , \9}® m ). 
This proves that all vectors |G Q ) G B are contained in Sym(?í® ra , \9)® m ). 
Moreover, the vectors |0^) are mutually orthogonal and normalized. 

It remains to be shown that Sym(?í® n , \9)® m ) is spanned by the vectors 
\e Q ) G B. Let thus |tf> G Sym(H® n , \9)® m ) be fixed. Since {\x)} xeX is a 
basis of 7í, there exist coefficients a x , for x = (x%, . . . , x n ) G X n , such that 

I*) = Yl a x|a?l) ® ■ ■ ■ ® |a?n> • 

Because |\]/) is invariant under permutations of the subsystems, the coeffi- 
cients a x can only depend on the frequency distribution À x . This implies 
that there exist coefficients (3q such that 

i*) = E &?i 0Q > • 

To conclude the proof, we need to verify that this sum can be restricted 
to frequency distributions Q such that Q(x) > — . Observe that, for any 
Q G Qn with Q(x) < ^, the vector |G^) is orthogonal to any vector 
in V{TL® n ,\9)® m ) and thus also to any vector in Sym(H® n , \9)® m ). The 
corresponding coefficient (3q must thus be zero. □ 
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Any vector G Sym(7í® n , |#)® m ) can be written as a linear com- 
bination of at most 1 2 nh( - m / n ï vectors from the set V(H® n , \6)® m ) defined 
by @2J). 

Lemma 4.1.6. Let \^>) G Sym(7í®", \0)® m ). Then there exísts an or- 
thonormal family {\^f s )} s ^s of vectors from V(?í® n , |#}® m ) with cardinality 
\S\ < 2 nft (W«) suc h that G span{|^ s )} s&s . 

Proof. Let {|a;)} :rg ^' be an orthonormal basis of 7i such that |x) = \0). For 
any n-tuple x = (xi, . . . ,x n ) G we denote by |x) the vector (g) 
••• <g> \xn). Because |¥) G span V(7í 0n ,|f9) 0m ), there exist coefficients f3 x , 
for x G íY™, such that 

x:A x (x)>^ 

Let 5 be the set of all subsets s Ç {1, . . . ,n} of cardinality |s| = m. 
Moreover, for any x = (x%, . . . , x n ) G X n with À x (x) > ^, let s(x) G 5 be a 
set of m indices from {1, . . . , n} such that i G s(x) =í> X{ = x. Finally, for 
any s G 5, let 

x: s(x)=s 

The sum in (|4.l-{j) can then be rewritten as jí*) = ^2 se g \^ s ), that is, j^) G 
span-tl^ 5 )}^. Moreover, Lemma IÏÏTÏÏ1 i molies |5| < 2 nh( - m / n \ 

It remains to be shown that {|í' s )} s6l 5 is an orthonormal family of vectors 
from V(H® n , \0)® m ). Let thus s G S be fixed and let ir be a permutation 
such that 7r(s) = {1, . . . , m}. Hence, for any x with s(x) = s, the vector 7r|x) 
has the form \0)® m ® |#), for some G H® n - m . By the definition (fOl . 
the same holds for 7r| , I> s ), i.e., \^ s ) G V(?í® n , |#)® m ). Furthermore, because 
for distinct s, s' G S, the sum in (|4.4j) runs over disjoint sets of n-tuples x, 
and because the vectors |x) are mutually orthogonal, the states |\I/ S ) are also 
mutually orthogonal. The assertion thus follows by normalizing the vectors 

□ 

4.2 Symmetric purification 

An operator p n on H® n is called permutation-invariant if vr/9 ra 7r^ = p n , for 
any permutation tt G S n . For example, the pure state p n = \^f)(^f\, for 
some vector \*&) of the symmetric subspace of 7i® n , is permutation-invariant. 
More generally, any mixture of symmetric pure states is permutation-invar- 
iant. 



1 h denotes the binary Shannon entropy function defined by h(p) := — plog(p) — 
(l-p)log(l-p). 
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The converse, however, is not always true. Consider for example the 
fully mixed state p2 on TL® 2 where dim(?í) = 2. Because this operator can 
be written as p2 = cr® 2 , it is invariant under permutations. However, p2 
has rank 4, whereas the symmetric subspace of Tí® 2 only has dimension 3. 
Consequently, p2 is not a mixture of symmetric pure states. 

Lemma f4.2.'2l below establishes another connection between permutation- 
invariant operators and symmetric pure states. We show that any permuta- 
tion-invariant operator p n on 7í® n has a purification on the symmetric sub- 
space of {H®H)® n . 

To prové this result, we need a technical lemma which states that a fully 
entangled state on two subsystems is unchanged when the same unitary 
operation is applied to both subsystems. 

Lemma 4.2.1. Let \\x)} x ç.x be an orthonormal family of vectors on a 
Hilbert space H and define 

:= k) ®R . 

where, for any x G X, \x) denotes the complex conjugate of\x) (with respect 
to some basis ofTÍ). Let U be a unitary operation on the subspace spanned 
by {\x)} X £x and let U be its complex conjugate. Then 

(U 8)T7)|*) = |*) . 

Proof. A simple calculation shows that, for any x,x' G X, 

((x\ ® M)!*) = <W 

{(x\®Jx T \)(U®Ü)\ï>) = 5 x , x , . 

The assertion follows because, obviously, {\x) <g> \x')} XtX 'çx is a basis of the 
subspace oï7í®7í that contains |*). □ 

Lemma 4.2.2. Let p n G V(J~l® n ) be permutation-invariant. Then there 
exists a purification of p n on Sym((?í (g) TL)® n ). 

Proof. Let {|x)} a:6 ^ be an (orthonormal) eigenbasis of p n and let A be the set 
of eigenvalues of p n . For any À G A, let H\ be the corresponding eigenspace 
of p n , i.e., p n \(j>) = X\cp), for any \4>) G H\. 

Because p n is invariant under permutations, we have tt^ p n Tr\(j)) = \\4>), 
for any \<p) G Tí\ and ir G S n . Applying the unitary operation tt to both 
sides of this equality gives PnTr\4>) = àtt 1 0) , that is, 7r|0) G TL\. This proves 
that the eigenspaces 7í\ of p n are invariant under permutations. 

For any \<p) G Tt® n , we denote by \<p) the complex conjugate of \<f>) with 
respect to some product basis on 7i® n . Moreover, for any eigenvalue A G A, 
let 

xdX x 
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where X\ := {x G X : \x) G Tí\}, i.e., {|x)} x6 ,y a is an orthonormal basis of 
the eigenspace H\. Finally, we define the vector G H® n <g> H® n by 

AeA 

It is easy to verify that the operator obtained by taking the partial trace of 
\^){% satisfies 

tr««n(|*)(*|) = Yl A ' x )^l = P" ' 

AeA xdX\ 

i.e., is a purification of p n . It thus remains to be shown that is 

symmetric. 

Let 7r G S n be a fixed permutation. Note that its complex conjugate 7f 
is equal to n. (Recali that we defined the complex conjugate with respect 
to a product basis of 7i® n .) Moreover, because ir is unitary on ?^® n and, 
additionally, for any À G A, the subspace TL\ is invariant under tt, the 
restriction of tt to TL\ is unitary as well. Hence, by Lemma 14.2.11 

(tt ® 7r)|^ A ) = (tt®W)\W X ) = |* A ) 

and thus, by linear ity, 

(tt ® tt)|«) = \/A(tt (g) vr)|^ A ) = ^ v 7 !)^) = |*> . 
AeA AeA 

Because this holds for any permutation 7r on H® n , we conclude \^) G 
Sym((W 0?í) 0n ). □ 



4.3 De Finetti representation 

While any product state p n = a® n on 7í® n is permutation-invariant, the 
converse is not true in general. Nevertheless, as we shall see, the properties of 
permutation-invariant states p n are usually very similar to those of product 
states. 

The quantum de Finetti representation theorem makes this connection 
explicit. In its bàsic version, it states that any density operator p n on J{® n 
which is infinitely exchangeable, i.e., p n is the partial state of a permutation- 
invariant operator p n +k on n + k subsystems, for all k > 0, can be written 
as a mixture of product states <r® n . 

In this section, we generalize the quantum de Finetti representation to 
the finite case, where p n is only (n + fc)-exchangeable, i.e., p n is the partial 
state of a permutation-invariant operator p n +k on n+k subsystems, for some 
fixed k > 0. Theorem 14.3.21 below states that any pure density operator p n 
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on Tt® n which is (n + /c)-exchangeable is close to a mixture of states f)n 
which have almost product form \9}® n , for \9) G TC. More precisely, for any 
\9), pn is a pure state of the symmetric subspace of %® n along \9)® n ~ r , for 
some small r > 0. Because of Lemma I4.2.2| this statement also holds for 
mixed states p n . 

The proof of Theor em 14 . 3 , 2 1 is based on the following lemma which states 
that the uniform mixture of product states (\9)(9\)® n , for all normalized 
vectors \0) £ Si(H) := (|0) € H : |||0)|| = 1}, is equal to the fully mixed 
state on the symmetric subspace of TL® n . 

Lemma 4.3.1. Let TL be a d-dímensíonal Hübert space and let n > 0. Then 



where u denotes the uniform probability measure on the unit sphere S\ (TC) . 

Lemma [4. 3. II can be proven using techniques from representation theory, 
in particular, Schur's Lemma (see, e.g., |W(t00| ). In the following, however, 
we propose an alternative proof. 

Proof. Let 

T:= f (\9)(9\r n co(\0)) ■ 

We flrst show that T = c ■ idg ym (^®n) for some constant c. 

Because the space Sym(W x " 1 ) is spanned by vectors of the form 
(cf. Lemma r4.1,3|) . it is sufhcient to show that, for any \u), \v) £ Si(TÍ), 

{uf n T\vr n = {uf n c ■ ids^^K" . (4.5) 

Let thus € Si(Ti) be fixed and define a := (u\v) and \w) := 

\v) — a\u), i.e., (u\w) = 0. Then 



(u\ m T\v)® n = f (u\9) n (9\v) n u(\9)) 

JS ^ H) (4.6) 
(u\9) n (a(9\u) + (9\ W )) n u;(\9)) 



ISiÇH) 

Note that, for any m G {0, . . . , n}, 

{u\9) n {9\u) n - m {9\w) m uj(\9)) = í |(u|^)| 2 ( n - m )(n|é') m ^|u;) m a;(|^)) 
SiÇH) JSi(H) 

Because, for any fixed value of (u\9), the integral runs over all phases of 
(9\w) (recali that |n) and are orthogonal) and because the probability 
measure uj is invariant under unitary operations, this expression equals zero 
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for any m > 0. The integral on the right hand side of (|4.6|) can thus be 
rewritten as 

(u\® n T\v)® n = f a n \(u\6)\ 2n uj(\6}) 

Jíil ™ . (4.7) 

= <u|«>» / \(u\9)\ 2n co(\0)) ■ 
JS X {H) 

Using again the fact that the probability measure u> is invariant under uni- 
tary operations, we conclude that the integral on the right hand side cannot 
depend on the vector \u), i.e., it is equal to a constant c. This implies (|4.5j) 
and thus proves that T = c • id Sym ( W ®n). 

To determine the value of c, 2 observe that 

tr(T) = / tr((|0>(0|)®X|0)) = / U (\0)) = 1 , (4.8) 
JSxÇH) JSx{H) 

where the last equality holds because w is a probability measure on Si(TÍ). 
On the other hand, we have tr(T) = c • dim(Sym(?í® n )). Hence, c _1 = 
dim(Sym(W® n )) = [ n+d ~ 1 ), which concludes the proof. □ 

We are now ready to state and prové a de Finetti style representation 
theorem. Note that Theorem 14.3.21 is restricted to pure symmetric states. 
The statement for general permutation-invariant states then follows because 
any such state has a symmetric purification (see Lemma 14.2.2(1 . 

Theorem 4.3.2. Let p n +k be a pure density operator on Sym(Ti® n+k ) and 
let < r < n. Then there exists a measure v on S\(TÍ) and, for each 
\9) G S\{TL), a pure density operator f)n on Sym(7Y (X " 1 , |#}® n_T ') such that 



tr k (Pn+k) - I P l n } 
Si(H) 



< 2e -f^W dim ^ lnfc 



i 



Proof. Because the density operator p n+ k is pure, we have p n +k = 
for some G Sym(?í 0ri+fc ). For any \6) G S 1 (H), let 



|$l fl >) : = ^{ k+d k ~ l ) ■ {idfp ® (6\® k ) ■ , 

where d := dím(H). Because Sym(Ti® n+k ) is a subspace of Sym(7í (g,n ) <g> 
Sym(7í® fc ) (see Remark HT2l . \¥ e ^) is contained in Sym(?í® n ). Let pt ] := 

2 Alternatively, the constant c can be computed by an explícit evaluation of the integral 
on the right hand side of 14.71 . Remarkably, this can be used to prové Lemma |4.1.3I 
Observe first that, by the arguments given in the proof, c _1 must be equal to the dimension 
of the space spanned by the vectors of the form \9)® n . On the other hand, the explícit 
computation of c shows that c _1 equals ( n+ which is the dimension of Sym(7i® n ). 
Because the space spanned by the vectors \9)® n is a subspace of Sym(7-í® n ), it follows 
that these spaces are equal. 
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\^W)(¥ e ï\, let P\ e ) be the projector onto the subspace Sym(7í® n , \6)® n - r ), 
and define 

d \e) . = ip\o) \o) p \o) 

where p(\0)) := tr(pl e )pf P^), i.e., f)n is normalized and, because p$ has 
rank one, it is also pure. Finally, let v be the measure defined by v := p ■ uj, 
where u is the uniform probability measure on Si(TÍ). It then suffices to 
show that 



S :-. 



tr k ( Pn+k )-l pWpWpWu(\e)) <2e~^ + ^ k . (4.9) 
JSi(H) 1 



By the definition of p n \ we have 

p \0) = |^>) ( ^>| = (k+d-lj . trfc ( id ®n g, (|0)<0|)«* • , (4.10) 

and thus, by LemmaEH3 



JSi(H) JSiÇH) 

= tr fc (id® n <g)id Sym(w ® fc) H*)(*|) . 

Since Sym(H® n+k ) is a subspace of H® n ® Sym(W® fc ), the vector is 
contained in 7ï® n (g>Sym(?í® fc ). The operation id^ n ®id Sym ( W <»fc) in the above 
expression thus leaves |í')(^ r | unchanged. Because tr^d^)^) = tr^p^+j.), 
we conclude 

/ P ^u(\e))=tv k ( Pn+k ) . (4.ii) 

Using this representation of tïk(Pn+k) and the triangle inequality, the 
distance 5 defined by (|4.9|) can be bounded by 

JSi(H) 

Because the operators P^ are projectors, we can apply Lemma IA.2.81 to 
bound the distance between p„ and P^ pffl P^ e \ which gives 



5 < 2 



Jtiip^^Jtvipi^-tvimp^)^}) 

5i(W) 



To bound the integral on the right hand side, we use the Cauchy-Schwartz in- 
equality for the scalar product defined by (f\g) := §S\(H) /(l^))íKI^)) 
i.e., 



6<2J I tr(f$)u(\0))J / (ti(f$)-tr(PW($))u(\0)) . 
V JSx(H) V J Si{H) 
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Because of 1)4.11(1 . the first integral on the right hand side equals tr(p n+ ^) = 
1, that is, 

8 < 2 J I (trrf>) - trCPl»)^)) o>(|0» . (4.12) 

Let be the projector orthogonal to p\ e \ Le., P |e) := id Sym ( W ®n) - pl e >. 
With (|4.1Uj) . the term in the integral can be rewritten as 

= ( fc+ J -1 ) • tr(pl fl > <g> (|6>)(0|)® fe • |*)<*|) • 

Let |0) G W be fixed and let {\x)} x^x be an orthonormal basis of Tí 
with \x) = \6), for some x £ X. Moreover, for all frequency distributions 
Q G Q* and Q G Q* +fc , let |9$) and |ej +fc ) be the vectors in Sym(?í® n ) 
and Sym(H® n+k ), respectively, defined by (|4.1|) . 

According to Lemma Pí.l.Sl the family of vectors |0n ), for all Q G Q*, is 
an orthonormal basis of Sym(?í® n ). Moreover, the subfamily where Q(x) > 
^ is a basis of Sym(H® n , \6)® n ~ r ). Consequently, the projector P^ on 
the space orthogonal to Sym(7í® n , |#}® n_r ) can be written as 

pi*> = |e«xe«| . 

Q:Q(2·)< ïi f r 

Identity (|4.1H|) then reads 
tr(pl?>)-tr(pl%l?>) = (*+t· 1 ) £ |((QSI®<«I**)-I*>| 2 - ( 4 - 14 ) 

Q:Q(x)<^ 

Because the family of vectors |0^ +fc ), for Q G 2n+fc' i s a basis of the 
symmetric subspace Sym(7í® n+?c ) (see again Lemma l4.1.5(l there exist coef- 
ficients aQ such that 

l*> = E a olQ? + fc>> ( 4 - 15 ) 

Q 

where the sum runs over all Q G Q„ + fe- 

It is easy to verify that, for any Q G and Q £ 2n+fc' the scalar 
product ((Qn \ <S> (9\® k ) • |©„ +fc ) equals zero unless 

, . -. . \nQ(x) + k if x = x . , 

(n + /c)Q(x) = { ^ (4.16) 
I nQ(x) otnerwise 



holds for all x G X, in which case 



njnQ(x))! _ / n!(nQ(x) + fc)! 



\ n„((»H-fc)Q(a»))l v 



(4.17) 
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Let Q e Qn with Q(x) < and let Q G Q* +k such that gjïï}) holds. 
Then, from (ETTÏÏl) and (ETTTl). 



((e?| ® <*H • I*) 



2_ |2 n!(nQ(x) + fc)! , 2 
-\ a Q\ { n + k)\(nQ(x))\ " n ' k ' r 



where £>„,fc, r := (n+fcMfa^ini • Note that Q(x) < ^ implies Q{x) < 



(n+k)\(n—r—iy. ' 

n+k 



n+k r Consequently, from ()4.14|l 



tr^))-tr(^ P r) < (^f 1 ) .D nAr l«0l 2 ^ (* + í _1 )^ 



n,k,r i 



where the last inequality follows from the fact that \oíq\ 2 = 
tr(p n+ fc) = 1. The term D n ^, T can be bounded by 

(n — r)(n — r + 1) ■ ■ ■ (n + k — r — 1) 



n + l)(ra + 2)···(n + fc) 



n + — r — 1 
n + /c 

r + l x A 

n + A; 

Defining /? := and using the fact that, for any f3 G [0, 1], (1— P) 1 ^ < e _1 , 
we find 

IW < (1 - P) k = ((1 - Z?) 1 ^* < e^ k . 

Finally, because for any k > 2 (note that, for k < 2, the assertion is trivial) 
( fc+ f _1 ) < A; d , we have 

tr(plf> )-tr(Pl^>{?>)<fcV fc S& . 

Inserting this into (|4.12j) . the bound (|4.9|) follows because uj(\6)) is a prob- 
ability measure on Si(TÍ). □ 

If the symmetric state p n +k on Sym(Tl® n+k ) has some additional struc- 
ture then the set of states that contribute to the mixture in the expression of 
Theorem 14.3.21 can be restricted. Remark 14.3.31 below treats the case where 
the subspaces Tí = TÍa <8> Ti-B are bipartite systems and where the partial 
state on Tí^ n+k has product form. 

Remark 4.3.3. Let TC := Ha & TLb be a bipartite Hilbert space, let 
P A nJ rk J^n + k be a pure density operator on Sym(7i.® n ) such that p A n+k = 
a A m+k , let < r < n, and let v be the measure defined by Theorem 14.3.21 
Then, for any ó > 0, the set 

F := {\6) G Si(ft) : ||tr B (|0><0|) - ^||l > 5} 

has at most weight i/(f*) < e -3^ 2 +dim(W) infc_ 
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Proof. Let |¥) G Sym(?í® n + fc ) and pL } G P(Sym(W® n )) as defined in the 
proof of Theorem 14.3.21 It then sufnces to show that 

Jr s 

where lo is the uniform probability measure on the unit sphere Si(TÍ) and 
d := dim(W)._ 

Let |<9) G T- 5 be fixed, i.e., \\tv B (\0)(9\) - a A \\ x > 5. Then, by (l4~TÜ|) . 

tr(pjf)) = f**" 1 ) • tr(id|" ® (|0>(0|f fe • |*>(*|) 
= ( fc+ f- 1 ).tr((|e)(0|f fc ·p Afcfífc ) , 

where p A k Bk := t r n(/9,4 n + fc ,B n + fc ) = tr n (|í')(í'|). Since the fidelity cannot 
decrease when taking the partial trace (cf. Lemma lA.1.5|) we get 

ïr{{\e){e\r k p AkBk ) = F( PAkBk , (\e)(e\f k ) 2 

<F(p Ak ,tr B (\0)(O\r k ) 2 
= F(af,ti B (\9)(9\)® k ) 2 

= F{a A ,tr B (\9)(e\)) 2k . 

Because, by Lemma lA.2.41 

F(a A ,tv B (\9)(9\)) 2 <l-h\ aA - tr B (\9)(9\)\\\ < 1 - Ç , 
we conclude 




kS 2 +d\nk 



where we have used ln(l — a) < —a, for a G [0, 1]. Inequality (|4.18|) then 
follows because w is a probability measure. □ 



4.4 Smooth min-entropy of symmetric states 

Let \9) G Tí, let £ be a quantum operation from Tí to Tíx <8> Hg, and define 
p X n B n := £® n (|*)(^|), for |*) := \9}® n . Obviously, px-B™ has product 
form, i.e., px n B n = ^f-fi' wnere a XB = £(\9)(9\). Hence, as demonstrated 
in Section l3~3l ( Corollarv l3~3~T|) . the smooth min-entropy of such a product 
state can be expressed in terms of the von Neumann entropy, that is, 

-H min {p X n B n \B n ) > H(a XB ) - H(a B ) . (4.19) 
n 

Theorem l4.4. ll below states that this still holds if the product state Y$>) := 
\9)® n is replaced by a state in the symmetric subspace of 7-í® n along \0^ n ~ r í 
for some r -C n. 
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Theorem 4.4.1. Let < r < \n, let \0) 6 H and \$) G Sym(W® n , \0)® n ~ r ) 
be normalized, and let £ be a trace-preserving CPM from TL to 7íx 0T~Íb 
which is classícal on TCx- Define px n B n '■= £® n (\^)(fy\) and o~xb '■= 
£(\9)(9\). Then, for any e>0, 

-H^ hl (p xnB n\B n ) > H{o- XB ) - H(a B ) - d , 
n 

where 5 := (f # max (Px) + 4) ^^Ç^ + h^Jn). 

Proof. According to Lemma 14.1.61 there exists a family {|í ,s )} sgl 5 of or- 
thonormal vectors from V{H® n , \6)® n - r ) of size \S\ < 2 nh ^ T l n ^ such that 

|*> = ^ 7s |^> , (4.20) 

ses 

where 7 S are coefficients with YlseS \^ s \ 2 = 

Let {E w } w çw be the family of operators from Tí to TLx®TLb defined by 
the CPM £, i.e., £{a) = YlweW Ew&Ew, for any operator a on Tí. Moreover, 
let Tíw be a Hilbert space with orthonormal basis {\w)} w çy\> and let U be 
the operator from Tí to Tíx <8> TÍb <8> Ti-w defined by 

U := ^ E w ® \w) . 

wew 

Because £ is trace-preserving, i.e., Yl w EtjE w = id-^, we have Wll = ïdn, 
that is, U is unitary. Furthermore, for any operator a on Tí, 

ti w {UaU ] ) = £{a) . (4.21) 

Let |$) := U® n \^) and, similarly, for any s £ S, let |<ï» s ) := U® n \V s ). 
Then, using (jl^ . 

|«>=^7.|*·> . 
ses 

Because U is unitary and the vectors \^íf s ) are orthonormal, the vectors \& s ) 
are orthonormal as well. Moreover, using l|4.21|) . 

Px-b- = £® n mm = tr W n(U® n \V)(*\(UÏf n ) = tr W n(|$)<$|) . 

Let p~x n B n := triy i (| < í )S )( < í )S |) and define the operator px n B n s on Tí x n <g> 
Wl n ®7í 5 by 

PX n B"S ■= ^ h^Px^B" ® |s)(s| , 

where Hs is a Hilbert space with orthonormal basis {|s)} sgl s. Lemma l3.2.11l 
then allows us to express the smooth min-entropy of px n B n m terms of the 
smooth min-entropy of p~x n B n s- Moreover, by Lemma 13.2.81 the smooth 
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min-entropy of p~x n B n s is lower bounded by the min-entropy of the operators 

Px n B n ' ^-h^ 

Hmm(PX"B™\PB") > -f^min(p 'X n B™ s\p >B n s) ~ H mííx (ps) 

> min H^ iri (p X n B n\p s B „) - H m&x (p s ) , 

where e = Using the fact that |<S| < 2 nh ( r l n \ we find 

^mi a (PX"B"|p J B") > mi n^min(Px"B"|PB«) - nh{r/n) (4.22) 

SgcS 

and 

log(l/e) < log(2/e) + log 6 + nh(r/n) . (4.23) 

Let us now compute the min-entropies of the operators p s x „ B „ , for s G 
5. Since G V(?í (g " 1 , |(9) 0ri " r ), the vector \^ s ), after some appropriate 
reordering of the subsystems, has the form \^ s ) = \Q)® n ~ T (g> for some 
l^ 5 ) G 7i.® r . Hence, the same holds for the vector i.e., 

\$ s ) = U® n \V s ) = (U\0))® n ~ r ® U^l^ 8 ) . 

Consequently, from (|4.21|) and the definition of (Txb, 



Px n B n 



{tr w (U\e){9\UÍ))® n ~ r ®tr W r(U® r \&){&\(UÏ)® r ) 



G XB 59 Px r B r j 



where p s X rB r := í (gir (|^' s )(í'' s |)· Because £ is classical on Px r B r is 
also classical on 7í^ r . Using the súper additivity of the smooth min-entropy 
(Lemma 13.2,6)) and the fact that the min-entropy of a classical subsystem 
cannot be negative (Lemma 13.1.9)) we find 

Hmin(p S X n B n \PB n ) > ^min^fs 'VI"' ") + #min (Px r B r \PB r ) 
> ^mmi^XB \ a B ) ■ 

Furthermore, because cjxb is classical on Tíx, we can use Corol·larv 13.3.71 
to bound the smooth min-entropy of the product state in terms of the von 
Neumann entropy, 

#L>fT K n ~ r ) > (" - r)(H(axB) - H(c B ) - 6') 

> n(H(a X B) ~ H(a B )) - rH max (p x ) - (n - r)5' 



with 5' := {2H max (p x ) + 3) J g ^'_r ■ Together with (IQ2l and (14^241 we 
conclude 

| fi — f 

- H L·n(PX"B"\pB^) > H(axB)-H(a B )-h(r/n)-r/nH raa _ x (p x ) 5' . 

n n 

(4.25) 
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Moreover, from (|4.23[) . 

Jn~=r~ • 6' < {2H max (p x ) + 3) v / log(2/e)+n/ l (r/n)+log6 + l , 

and hence, using the fact that c < y/c, for any c < 1, 

n-r , ln-r , , . . /log(2/e) +4 

d < W d < {2H max (px) + 3) W h ft(r/n) . 

n V n V n 

Finally, because ^ < h(r/n) and h(r/n) < y/h(r /n), we find 

7* 77/ — 7* 

fc(r/n) + -H max (p x ) + S' 

n n 

< (§2W(p*) + 4) J 21 ° g(2/£)+4 + %/^) • 
v 2 7 V re 

Inserting this into Q4.25J) concludes the proof. □ 

4.5 Statistics of symmetric states 

Let Z\,...,z n be the outcomes of n independent measurements of a state 
\9) £ TL with respect to a POVM Ai = {M z } ze z- The law of large numbers 
telis us that, for large n, the statistics À z of the n-tuple z = (zi, . . . , z n ) is 
close to the probability distribution Pz defined by Pz(z) ■= tr(M z \6){6\), 
for z £ Z. Theorem 14.5.21 below states that the same is true if the n-tuple 
z is the outcome of a product measurement Aí® n applied to a state \^} of 
the symmetric subspace of 7i® n along \6)® n ~ r , for some small r <C re. 
For the proof of this result, we need the following technical lemma. 

Lemma 4.5.1. Let = Y^xax W) and let p G V(H). Then 

Proof. Let p = ^2 y& y Py\y) (y\ be a spectral decomposition of p. For any 

i/< y. 

\m? = IE W)l 2 ^ (E i(yi^)i) 2 < 1*1 E Kfi^>i a > 

where we have used the Cauchy-Schwartz inequality in the last step. Con- 
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sequently, 



y&y 

<i*iEE^iw x >i 2 

y<=y xeX 

xex y ey 



\x\^{r\ P \r). □ 



xeX 



Theorem 4.5.2. LetO<r< \n, let \0) G H and |tf ) G Sym(W® n , |#)® ri - í ') 
òe normalized, let M = {M z } z ^z be a POVM on Tí, and let Pz be the 
probability distribution of the outcomes of the measurement M. applied to 
Then 



Pr 



\X z -P z \\ l >2j^^ + h(r/n) + Wlo g Q + l) 
n n 2 



where the probability is taken over the outcomes z = (z\, . . . ,z n ) of the 
product measurement M® n applied to \^){^>\. 

Proof. According to Lemma l4.1.61 the vector \fy) can be written as a super- 
position of orthonormal vectors \^ s ) G V{H® n , \6)® n ~ r ), that is, 

|*> = ^ 7s |* s > , (4.26) 

ses 

where S is a set of size |<S| < 2 nh ^ and where 7 S are coefhcients such that 
Eseshsl 2 = 1. 

Let now s G S be fixed. Because G V(H® n , \e) m ~ r ), there exists 
a permutation ir which maps \^f s ) to a vector which, on the first n — r 
subsystems, has the form \6)® n ~ r . We can thus assume without loss of 
generality that \^ s ) = \0)® n ~ r ® for some \Íf) G H® r . 

Let z = (z\, . . . , z n ) be the outcome of the measurement M® n applied to 
|\]/ s )(\]/ s | and define z' := (z±, . . . , z n - r ) and z" := (z n _ r+ i, . . . ,z n ). Clearly, 
z' is distributed according to the product distribution P^~ r . Hence, with 
high probability, z' is a typical sequence, that is, by Corollarv IB.3.3| 



Pr 



|A Z , - P zh > A /2(ln2)(^ + ^ |l0g ^_; r + 1) )] < , (4.27) 



for any 5 > 0. Moreover, because A z = ^-^-X^i + ^A z ", we can apply the 
triangle inequality which gives 

||A Z - P z || < ||A Z / - P z \l + -\\K» ~ Pz\l < ||A Z / - PzIL + - . 

M ni n ii ni n n ni ii ni n 
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Using this inequality and the assumption r < in, (|4.27j) implies that 

Pr [z £W s ]<rT , (4.28) 

where we write z <— l^ 5 ) to indicate that z is distributed according to the 
outcomes of the measurement applied to |\J/ S ) and where Ws is the subset 
of Z n defined by 



W 5 :={zeZ n : \\\,-P z \\i > A/2(ln2)(<5+^log(^ + l)) +-} . 
1 V n 2 ' n' 

Let M z := M Z1 <g> • • • <g> M Zn , for z = (zi, . . . , z n ) £ Z n , be the linear 
operators defined by the POVM M® n . Then, using Lemma li". 5 .11 l|4.26jl . 
and (|4*^28|) we get 

Pr [z éWí]= V (tt|MJ¥) 

z<-|#> ^— ' 

1 7 zeWj 

zew 4 ses 
= \S\^2\ ls \ 2 Pr [z€ 

< 2 nh(r/n) 2 -f 



= 2 ra ^ 

Hence, with 5 := 21 ° s ^ 1/s) + 2/»(r/n) 



n(f-h(r/n)) 



Pr 

z 



|A Z - Pzllx > ; /4(ln2)(^^ + fc(r/n) + ^ log£ + 1)) + - 
1 n n 2 n 



< £ . 



The assertion then follows from the fact that -y/c + ^ < y c + ^ , for any 
c > with c + ^ < 1, and from ^ < /i(r/n). □ 



Chapter 5 

Privacy Amplification 



A fundamental problem in cryptography is to distill a secret key from only 
partially secret data, on which an adversary might have information encoded 
into the state of a quantum system. In this chapter, we propose a general 
solution to this problem, which is called privacy amplification: We show that 
the key computed as the output of a hash function (chosen at random from 
a two-universal 1 family of functions) is secure under the sole condition that 
its length is smaller than the adversary's uncertainty on the input, measured 
in terms of (smooth) min-entropy. 

We start with the derivation of various technical results (Sections 15. 
15.4)1 . These are used for the proof of the main statement, which is first 
formulated in terms of min-entropy (Section 15.5)1 and then generalized to 
smooth min-entropy ( Section l5.6|) . 

5.1 Bounding the norm of hermitian operators 

In this section, we derive an upper bound on the trace norm for hermitian 
operators (Lemma 15.1.3)) . The bound only involves matrix multiplications, 
which makes it easy to evaluate. 

Lemma 5.1.1. Let S and T be hermitian operators on H. Then 

tv(ST) < v/tr(S 2 )tr(T 2 ) . 

Proof. Let S = Yly^y Pylv) (u\ an d T = J2 z <=z lz\ z )( z \ be spectral decom- 
positions of S and T, respectively. With the definition a y>z := |(y|z)| 2 , we 
have 

tr(ST) = X)/Vy*tr(|y><ï/| • \z)(z\) =Y,M^y,z ■ 
y,z y,z 
1 See Section f5.4l for a definition. 
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On the other hand, tr(S ) = J2 y Py an d tr(T ) = ^z7z- ^ thus sufíices to 
show that 



I/.2 



It is easy to verify that (a y!Z ) y& y !Z ç.z is a bistochastic matrix. Hence, 
according to Birkhoff 's theorem (cf. Theorem lB.2.2|) there exist nonnegative 
coefficients fi n parameterized by the bijections tt from Z to y such that 
J2n fa = 1 and, for any y £ y, z £ Z, a y>z = ^ faò y , n (z)- We thus have 

E Pylz a y,z = E A*w E Pylzà v ,ir{z) ■ (5-2) 

y,z tt y,z 

Furthermore, by the Cauchy-Schwartz inequality, for any fixed bijec- 
tion TT, 

z y z z 

This can be rewritten as 



IJ.Z 



Inserting this into (|5.2j) implies (|5.1j) and thus concludes the proof. □ 

Lemma 5.1.2. Let S be a hermitian operator on Tt and let a be a nonneg- 
ative operator on H. Then 



tv\y/aSy/a\ < y/tr(S 2 )tr(a 2 ) . 

Proof. Let {|t;)}„ g v be an eigenbasis of y/a S y/a and let S = YlxeX a x\ x )( x \ 
be a spectral decomposition of S. Then 

trlv^SVal = ElHv^Vofa)! 

V 

= EIE^^^i^^i^M 

V X 

V X 

= Y(v\MS\Mv) 

v 

= tr(V^\S\y/à) ■ 
Furthermore, by Lemma 15.1.11 



tr(^l^l^) = tv(\S\a) < ^tr(|S| 2 )tr(a 2 ) = V / tr(5 2 )tr( C r 2 ) , 
which concludes the proof. □ 
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Lemma 5.1.3. Let S be a hermitian operator on Tí and let a be a nonneg- 
ative operator on 7í. Then 

\\S\\i < ^/tr(<7)tr(5<7- 1 /25 <7 -i/2) . 

Proof. The assertion follows directly from Lemma 15,1.21 with a := ^fa and 
5 := a~ 1 /2^-i/2 ) that iSj a = d 2 and s = ^s^. □ 

5.2 Distance from uniform 

According to the discussion on universal security in Section 12.2.21 the se- 
curity of a key is defined with respect to its Li-distance from a perfect 
key which is uniformly distributed and independent of the adversary's state 
(see Ij2.6|) ). This motivates the following definition. 

Defïnition 5.2.1. Let pab £ V(J~Ia ® Ws). Then the L\-distance from 
uniform of pab given B is 

ú(pab\B) := || pab - Pu® Pb\\ 1 , 

where pu := dim ^ A ) id^ is the fully mixed state on TÍa- 

For an operator pxz defined by a classical probability distribution Pxz, 
d(pxz\Z) is the expectation (over z chosen according to Pz) of the L\- 
distance between the conditional distribution Px\z=z an d the uniform dis- 
tribution. This property is generalized by the following lemma. 

Lemma 5.2.2. Let pabz be classical with respect to an orthonormal ba- 
sis {\z)} z& z of TLz and let p z AB , for z G Z, be the corresponding (non- 
normalized) conditional operators. Then 

d( P ABz\BZ) = Y,d{p Z A B \B) ■ 

z&Z 

Proof. Let pu be the fully mixed state on TÍa- Then, by Lemma lA. 2. 21 

d(pABZ \BZ) = || pABZ ~ PU ® PBZ \ | 1 

= Yl Wpab -Pu® pilli 

z<íZ 

= Y J d(p AB \B) ■ 



□ 
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To derive our result on the security of privacy amplification, it is con- 
venient to consider an alternative measure for the distance from uniform. 
Let pab £ V(Hab) and ob £ VÍTLb)- The (conditional) L^-distance from 
uniform of pab relative to as is defined by 

d2(PAB\<?B) ■= tr(((pAB - PU ® Ps)(}à A ® O"^ 2 )) 2 ) > 

where pu is the fully mixed state on Ha- Note that ^(pabIcb) can equiv- 
alently be written as 

(k{pAB\oB) = trN (icU (8) o-^ 1//4 )(pab - Pu ® pB)(jd A &> o- B 1/A )) 2 ^ , (5.3) 

which proves that ^(pabI^s) cannot be negative. 

The L2-distance from uniform can be used to bound the Li-distance 
from uniform. 

Lemma 5.2.3. Let pab £ V{TLa <S> TÍb)- Then, for any ob € V(Hb), 
d(pAB\B) < ^dim(TÍA)tr(o- B )d 2 (pAB\o-B) ■ 

Proof. The assertion follows directly from Lemma 15,1.31 with S := pab — 
Pu ® PB and a := id^ <8> <tb, where pu is the fully mixed state on TLa- □ 

The following lemma provides an expression for the L2-distance from 
uniform for the case where the first subsystem is classical. 

Lemma 5.2.4. Let pxB £ "PiTíx ® TÍb) be classical with respect to an 
orthonormal basis {\x)} x ^x ofTLx, let p x B , for x £ X , be the corresponding 
(non-normalized) conditional operators, and let a £ VÍTLb)- Then 

d 2 ( P XB\a B ) = EM^VW 74 ) 2 ) " T^M^PBO-B^f) • 
x ' ' 

Proof. Let pu be the fully mixed state on Tíx- Because pxs is classical on 
Hx, we have 

PXB ~ PU ® PB = ® ( p B ~ ]Y\ PB ^ ' 

x ' ' 

and thus 

(idx ® o-~ b 1/4 )(pxb - Pu® PB)(idx ® o-~ B l/Í ) 

El \ l l ^ í -1/4 x -1/4 1 -1/4 -1/4 \ 

\x){x\ ® \a B p B o- B - —a B p B o B J . 

X ' 
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Hence, since {|x)} a;6 ^· is an orthonormal basis, 

tr(((idx (g> a^ 1/4 )(p X B - Pu ® PB)i}à x ® cr B 1/4 )) 2 

E ( I -1/4 x -1/4 1 -1/4 -1 
te[y B PB°B ~ Tp^B PB<?B 
x ' ' 

= Y,^B 1/4 PW /4 ) 2 ) - ^M(«B /4 PB*~B 1/4 ) 2 ) , 
x 1 1 

where the second equality holds because ^2 x p B = Pb- The assertion then 
follows from (j5.3j) . □ 

5.3 Collision entropy 

Definition 15.3.11 below can be seen as a generalization of the well-known 
classical (conditional) collision entropy to quantum states. 

Definition 5.3.1. Let p AB € V(H A ® Ub) and a B G V(H B )- Then the 
collision entropy of pab relative to o~b is 

1 // /. , -l/2\\2 



H 2 (pab\o-b) ■= - log ytr^(/>As(idA ® o- B )) 

Remark 5.3.2. It follows immediately from Lemma lB.5.3l that 

HioítlÍPAbWb) < H 2 (pabWb) ■ 

Remark 5.3.3. If pxB G V(Hx <& Hb) is classical with respect to an or- 
thonormal basis {Irc)}^^ of Tíx such that the (non-normalized) conditional 
operators p x B on TÍ B , for x G X, are orthogonal then 



5.4 Two-universal hashing 

Definition 5.4.1. Let T be a family of functions from X to Z and let Pp be 
a probability distribution on T. The pair (J 7 , Pp) is called two-universal if 
Prj[/(x) = /(a/)] < tL·, for any distinct x,x' £ X and / chosen at random 
from T according to the distribution Pp. 

In accordance with the Standard literature on two-universal hashing, 
we will, for simplicity, assume that Pp is the uniform distribution on J-. 
In particular, the family T is said to be two-universal if (J 7 , Pf), for Pp 
uniform, is two-universal. It is, however, easy to see that all statements 
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proven below also hold with respect to the general definition where Pf is 
arbitrary. 

We will use the following lemma on the existence of two-universal func- 
tion famílies. 

Lemma 5.4.2. Let < £ < n. Then there exists a two-universal family of 
hash functions from {0, l} n to {0, 1}^. 

Proof. For the proof of this statement we refer to C W79j or |WC81j , where 
explicit constructions of hash function famílies are given. □ 

Consider an operator pxB which is classical with respect to an orthonor- 
mal basis {|x)} :1 . e ^' of Tíx and assume that / is a function from X to Z. 
The density operator describing the classical function output together with 
the quantum system TLb is then given by 

Pf(X)B ■= Yl l Z >^l PB fOT PB ■= Yl PB > ( 5 - 4 ) 

where {|z)} 2g 2 is an orthonormal basis of Tíz- 

Assume now that the function / is randomly chosen from a family of 
functions T according to a probability distribution Pp. The function output 
f(x), the state of the quantum system, and the choice of the function / is 
then described by the operator 

PF(X)BF ■= Yl p FÍf)Pf(x)B ® \f)(f\ (5.5) 
on Tíz <8> 7~Cb <8> TÍf, where Tip is a Hilbert space with orthonormal basis 

! / }/• 

The following lemma provides an upper bound on the expected L 2 - 
distance from uniform of a key computed by two-universal hashing. 

Lemma 5.4.3. Let pxB £ V{Tíx ® TLb) be classical on Tíx, let ob G 
V(TLb)> o,nd let T be a two-universal family of hash functions from X to Z. 
Then 



md 2 (p fi x)B\o-B)\ < tr(px B )2- H2(pXBlaB \ 
for Pf(x)B G ViTLz ®TCb) defined by IJ5.4JI and f chosen uniformly from T . 



Proof. Since Pf(x)B is classical on Tíz, we have, according to Lemma [5.2.41 



d2ÍPf(X)B\0-B) = Y tT (( a B 1/4 pB^B l/4 ) 2 ) ~ Tjgi tr {( a E^^ PB<? B 1/A ) 2 ) , 

(5-6) 
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where p z B , for z £ Z, are the conditional operators defined by (|5.4j) . The 
first term on the right hand side of (|5.6[) can be rewritten as 



£M(-b 1/4 pW /4 ) 2 ) 



E E M^VW 74 )^ 1 ^ 1 ' 4 )) 

E f , // -1/4 x -l/4w -1/4 x ' -l/4\\ 

í /(*) I /(*') tr (( <7 B PB&B )( a B PB°B )) 



Similarly, for the second term of (j5.6j) we find 

Ltr^W 74 ) 2 ) =Eè tr ( ( ^ 1/4 ^ 1/4)( ^ 1/4 ^^ V4) ) • 



Hence, 

K[ d 2(P/(X)B|0\B 



= E?lW*') - pf] • to((^ 1/4 ^i 1/4 )(^ 1/4 ^^ 1/4 )) • (5-7) 

Because / is chosen at random from a two-universal family of hash functions 
from X to Z, we have, for any i/i', 

f [<*/(*),/(*') - lèfl = p / [/(x) = " ]èf - ' 

Since the trace tr(o"<7 / ) of two nonnegative operators a, a' E V(7í) cannot be 
negative (cf. Lemma lB.5.2|) the trace on the right hand side of (|5.7[) cannot 
be negative, for any x, x' E X. Consequently, when omitting all terms with 
x ^ x', the sum can only get larger, that is, 



"V4n/ -1/4 x' -1/4n 



E[d 2 ( P/(x)B |a B )] <EM(^£ 1/4 pW /4 ) 2 ) • 
The assertion then follows from Remark 15,3.31 



□ 



5.5 Security of privacy amplificat ion 

We are now ready to state our main result on privacy amplification in the 
context of quantum adversàries. Let X be a string and assume that an 
adversary controls a quantum system Tíb whose state is correlated with X. 
Theorem 15.5.11 provides a bound on the security of a key f(X) computed 
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from X by two-universal hashing. The bound only depends on the un- 
certainty of the adversary on X, measured in terms of collision entropy, 
min-entropy (cf. Corollarv I5,5.2j) . or smooth min-entropy (Corollarv I5.fi. l|h 
where the latter is (nearly) optimal (see Section [5.fi|) . 

Theorem 5.5.1. Let pxB £ 53 TÍ B ) be classícal with respect to an 

orthonormal basis {\x)} x( zx ofTíx, let &B G V(T~Íb), o,nd let T be a two- 
universal family of hash function from X to {0, 1} £ . Then 

d(p F{ x)BF\BF) < ^tT(p XB )-tv(a B )-2" l 2(^(p X BW B )-e) 
for Pf(x)bf ^ VÇHz ® TL B ® Hf) defined by (j5.5|) . 

Proof. We use Lemma 15.2.21 to write the Li-distance from uniform as an 
expectation value, 

d(p F{ x)BF\BF) = Y, PfU) ■ d(p f{ x)B\B) = E[d( Pf{x)B \B)} . 

With Lemma 15.2.31 the term in the expectation can be bounded in terms of 
the L2-distance from uniform, that is, for any a B £ V(TÍ B ), 

d(p F{ x)BF\BF) < y/2 í ti(a B )j[^d 2 (p n x)B\o-B)] 
<yj2tti(<T B )^E[d 2 (p nx)B \<T B )] , 

where we have used Jensen's inequality. Finally, we apply Lemma 15.4.31 to 
bound the L2-distance from uniform in terms of the collision entropy, which 
gives 

d(p F{X )BF\BF) < yj 2 Í tv(a B )^ti(p XB )2- H ^PxBWB) . □ 

Corollary 5.5.2. Let px B G V(Hx <8> TÍ B ) be classical with respect to an 
orthonormal basis {\x)} x ^x of TCx an d let T be a two-universal family of 
hash functions from X to {0, l} e . Then 

d(p F{X )BF\BF) < sMp^b~).2-^ h ^^ b ^ , 

for Pf(x)bf G V(Hz &> TÍb <& Tip) defined by (15.51) . 

Proof. The assertion follows directly from Theorem 15 . 5 . 1 1 and B,emark l5.3.2l 

□ 
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5.6 Characterization using smooth min-entropy 

The characterization of privacy amplification in terms of the collision en- 
tropy or min-entropy is not optimal. 2 Because of Remark 15. IS. 21 the same 
problem arises if we replace the collision entropy by the min-entropy (as in 
Corollarv I5.5.2|) . However, as we shall see, the statement of Theorem 15.5.11 
still holds if the uncertainty is measured in terms of smooth min-entropy. 
That is, the key generated from X by two-universal hashing is secure if its 
length is slightly smaller than roughly H^^pxbIB), where pxB is the joint 
state of the initial string X and the adversary's knowledge. This is essen- 
tially optimal, i.e., H^ n {pxB\B) is also an upper bound on the maximum 
number of key bits that can be generated from X. 5 

Corollary 5.6.1. Let pxB £ F'^H.x ®'Hb) be a density operator which is 
classícal wíth respect to an orthonormal basis {\x)} x ^x ofTíx, let T be a 
two-universal family of hash functions from X to {0, 1} , and let e > 0. 
Then 

d(p F(X )BF\BF) < 2s + 2-k( H L·n(Pxs\B)-e) ^ 
for Pf(x)bf ^ V(Hz ® T~ÍB ® Hf) defined by (|5.5|) . 

Proof. Consider an arbitrary operator pxB £ B £ (pxb) and let Pf(x)bf £ 
ViTLz <S>'Hb<8>T~Lf) be the corresponding operator defined by (|5.5|) . Because 
the Li-distance cannot increase when applying a trace-preserving quantum 
operation (cf. Lemma [A.2.1|) . we have Pf(x)bf £ B £ (Pf(x)bf)- Hence, by 
the triangle inequality, 

d(PF(Z)BF\BF) = \\p F (x)BF - Pu® Pbf^ 

< \\pf(x)bf ~ Pf(x)bf\\ 1 + \\pf(x)bf ~ Pu ® Pbf^ + \\pbf - Pbf^ 
<2e + \\p F (x)BF ~ Pu® Pbf\\ x = 2e + d(p F (Z)BF\BF) , 

where pu is the fully mixed state on Tíz- Corollarv 15.5.21 applied to pxB, 
gives 

d(p F (X)BF\BF) <2e+ y/tofas) • 2~ l 2( H ^(p XB \Byi) 

Because this holds for any pxB 6 B £ (p~xb), the assertion follows by the 
definition of smooth min-entropy. □ 



2 This also holds for the classical result, as observed in |BBCM95) . In fact, depending 
on the probability distribution Px of the initial string X, it might be possible to extract 
a key whose length exceeds the collision entropy of Px- 

3 To see this, let F be an arbitrary hash function. It follows from Lemma [3.1.9l that the 
smooth min-entropy cannot increase when applying a function on X, i.e., H^ iíyi {pxb\B) > 
Hmin(pF(x)BF\BF). Moreover, it is easy to verify that the smooth min-entropy of a secret 
key given the adversary's information is roughly equal to its length. Hence, if F(X) is a 
secret key of length £, we have H^ í i n _(pF(x)BF\BF) > í. Combining this with the above 
gives H^ in {p X B\B) > i. 



Chapter 6 

Security of QKD 



In this chapter, we use the techniques developed in Chapters to prové 
the security of QKD. 1 (The reader is referred to Section fi. fíl for a high-level 
description of the material presented in the following, including a sketch 
of the security proof.) Typically, a QKD protocol is built from several 
subprotocols, e.g., for parameter estimation, information reconciliation, or 
privacy amplification. We first describe and analyze these subprotocols (Sec- 
tions I6.2H6.4|) and then put the parts together to get a general security cri- 
terion for quantum key distillatíon (Section I6.5JI . which directly implies the 
security of quantum key distributíon (QKD) (Section l6.6|) , 

6.1 Preliminar ies 
6.1.1 Two-party protocols 

A protocol V between two parties, Alice and Bob, is specified by a sequence 
of operations, called (protocol) steps, to be performed by each of the parties. 
In the first protocol step, Alice and Bob might take (classical or quantum) 
inputs A and B, respectively (e.g., some correlated data). In each of the 
following steps, Alice and Bob either perform local computations or ex- 
change messages (using a classical or a quantum communication channel). 
Finally, in the last protocol step, Alice and Bob generate outputs A' and B', 
respectively (e.g., a pair of secret keys). 

We will mostly (except for Section Ifi.fij) be concerned with the analysis 
of protocols V that only use communication over a classical and authentic 
channel. In this case, Alice and Bob's outputs as well as the transcript of the 
communication do not depend on the attack of a potential adversary. Let 
Pab and pa'B'C be the density operators describing Alice and Bob's inputs 
A and B as well as their outputs A' and B' together with the communication 

x As discussed in Chapter Q we actually consider quantum key distillation, which is 
somewhat more general than quantum key distributíon (QKD). 
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transcript C, respectively. The mapping that brings pab to Pa'B'C-, m the 
following denoted by £a>b>c^ab> * s then uniquely defined by the protocol 
V. Moreover, because it must be physically realizable, B'C^-ab ls a CPM 
(see Section l^.l.ip . 

To analyze the security of a protocol V, we need to include Eve's infor- 
mation in our description. Let pabe be the state of Alice and Bob's inputs 
as well as Eve's initial information. Similarly, let pa'B'E' be the state of 
Alice and Bob's outputs together with Eve's information after the protocol 
execution. As Eve might get a transcript C of the messages sent over the 
classical channel, the CPM that maps pabe to Pa'B'E' is given by 

t-A'B'E'^ABE := £a'B'C<-AB ® '^E , 

where He' '■= Tic ® TLe- 

6.1.2 Robustness of protocols 

Depending on its input, a protocol might be unable to produce the desired 
output. For example, if a key distillation protocol starts with uncorrelated 
randomness, it cannot generate a pair of secret keys. In this case, the best 
we can hope for is that the protocol recognizes this situation and aborts 2 
(instead of generating an insecure result). 

Clearly, one is interested in designing protocols that are successful on 
certain inputs. This requirement is captured by the notion of robustness. 

Definition 6.1.1. Let V be a two-party protocol and let pab £ T 7 (TÍa ® 
TÍb)- We say that V is e-robust on pab if, for inputs defined by pab-, the 
probability that the protocol aborts is at most e. 

Mathematically, we represent the state that describes the situation after 
an abortion of the protocol as a zero operator. The CPM £a'B'C*-AB ( as 
defined in Section Rll.lj) is then a projection onto the space that represents 
the outputs of successful protocol executions (i.e., where it did not abort). 
The probability that the protocol is successful when starting with an initial 
state pab is thus equal to the trace ti(pA'B'E) of the operator pa'B'E = 
£a>b'c+-Ab(.PAb)- In particular, if V is e-robust on a density operator pab 
then ti(pA'B'E) > 1 — £• 

6.1.3 Security definition for key distillation 

A (quantum) key distillation protocol KD is a two-party protocol with clas- 
sical communication where Alice and Bob take inputs from Tía and TÍb, 
respectively, and either output classical keys sa,sb £ <S, where S is called 
the key space of KD, or abort the protocol. 

2 Technically, the protocol might output a certain predefined symbol which indicates 
that it is unable to accomplish the task. 
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Definition 6.1.2. Let KD be a key distillation protocol and let pabe & 
V{Ha <8> Hb <8> He)- We say that KD is e-secure on pabe if Ps A s B E' '■= 
^SaSbE'^-ABe(pabe) satisfies 

1„ „ 

^\\PSaS b E' - PUU®PE'\\ 1 < e , 

where puu '■= SseS [5tI s )( s I®I s ) f° r some family {|s)} s£l 5 of orthonormal 
vectors representing the vàlues of the key space 5. 

Moreover, we say that KD is e-fully secure if it is e-secure on all density 
operators pabe £ V{Ha <8> Hb <8> He)- 

According to the discussion on universal security in Section l2.2.2( 3 this 
definition has a very intuitive interpretation: If the protocol is e-fully secure 
then, for any arbitrary input, the probability of the event that Alice and 
Bob do not abort and the adversary gets information on the key pair 4 is at 
most e. 5 In other words, except with probability e, Alice and Bob either 
abort or generate a pair of keys which are identical to a perfect key. 

Remark 6.1.3. The above security definition for key distillation protocols 
KD can be subdivided into two parts: 

• e' -correctness: Prfs^ ^ sb] < e', 6 for sa and sb chosen according to 
the distribution defined by ps A S B ■ 

• e" -secrecy of Alice' s key: \d(ps A CE\CE) < e" ? 

In particular, if KD is e'-correct and e"-secret on pxye then it is (e' + e")- 
secure on pxye- 

6.2 Parameter estimation 

The purpose of a parameter estimation is to decide whether the input given 
to the protocol can be used for a certain task, e.g. to distill a secret key. 
Technically, a parameter estimation protocol PE is simply a two-party pro- 
tocol where Alice and Bob take inputs from Ha and Hb, respectively, and 
either output "accept" or abort the protocol. 

3 If a key S is e-secure, one could define a perfectly secure (independent and uniformly 
distributed) key U such that Pr[s / u] < e (see also Proposition 12 . 1 . . 

4 According to FootnoteOl one could say that the adversary gets information on a key 
S whenever the value of S is not equal to the value of a perfect key U. 

5 Note that the adversary's information on the key, conditioned on the event that Al- 
ice and Bob generate a key, is not necessarily small. In fact, if, for a certain input, 
the probability that Alice and Bob generate a key is very small (e.g., smaller than e) 
then — conditioned on this rare event — the key might be insecure (see also the discussion 
in |BBB+05| 1. 

6 Pr[sA 7^ sb] is the probability of the event that Alice and Bob do not abort and the 
generated keys sa and sb are different. 
7 See Definition KTH 
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Fig. 6.1 Parameter estimation protocol PE^g. 
Parameters: 

M: bipartite POVM {M w } weW on H A ® H B 
Q: set of frequency distributions on W 



Alice Bob 

input space: 7í® n input space: TÍ B 



^ meas. Ai ' 



_> W = (lüi, . . . 
if A w £ Q 
then abort 
else output "acc." 



Definition 6.2.1. Let PE be a parameter estimation protocol and let pab & 
VÍJía ® T~Íb)- We say that PE e-securely filters pab if, on input pab, the 
protocol aborts except with probability e. 

A typical and genèric example for parameter estimation is the protocol 
PE_A/í 5 g depicted in Fig. 16.11 Alice and Bob take inputs from an n-fold 
product space. Then they measure each of the n subspaces according to a 
POVM M = {M w } we w. 8 Finally, they output "accept" if the frequency 
distribution À w of the measurement outcomes w = (wi, . . . , w n ) is contained 
in a certain set Q. 

For the analysis of this protocol, it is convenient to consider the set 
^MQ °f density operators oab for which the measurement M. leads to a 
distribution which has distance at most p to the set Q. Formally, 

T M,Q ■= {°AB : min \\P°f B - Q\\ x < p) , (6.1) 

where P^ B denotes the probability distribution of the outcomes when mea- 
suring oab according to Ai, i.e., Pw{w) = tr(M w aAB), for any w £ W. 

Assume that the protocol PE^ q takes as input a product state pA n B n = 
CT®^. Then, by the law of large numbers, the measurement statistics À w 
must be close to M.{(Jab)- In particular, if the protocol accepts with non- 
negligible probability (i.e., A w is contained in Q) then oab is likely to be 
contained in T^g, for some small p > 0. In other words, the protocol 

8 M might be an arbitrary measurement that can be performed by two distant parties 
connected by a classical channel. 
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aborts with high probability if o~ab is not an element of the set ^Jaq- The 
following lemma generalizes this statement to permutation-invariant inputs. 

Lemma 6.2.2. Let M := {M w } w&w be a POVM on Ha®Hb, let Q be a set 
of frequency distributions on W, let < r < \n, and let e > 0. Moreover, 
let \8) £ TÍabe '■= T~(-A &> TÍb <8> T~t e o,nd let pA n B n E n be o, density operator on 
Sym(H% E , \0}® n - r ). IftT E (\9)(9\) is not contained in the set Tj% Q defined 
by (jèU, for 

, := JMl/£) + |VV| log( | + 1) , 

V n n 2 

then the protocol PE^g defined by Fia. \6.1\ E-securelv filters pA n B n - 
Proof. The assertion follows directly from Theorem 14.5,21 □ 

Similar ly to we can define a set Tj^q containing all density oper- 

ators o~ab for which the measurement A4 leads to a distribution which has 
distance at least \i to the complement of Q. Formally, 

?M,Q ■= {°AB : min \\P^ B - Q||i > fi] . (6.2) 

Analogously to the above argument, one can show that the protocol 
PEa^q defined by Fig. 16.11 is e-robust on product operators <t®B' fo r an y 

°~AB G ^M,Q- 

6.3 Information reconciliat ion 

Assume that Alice and Bob hold weakly correlated classical vàlues x and 
y, respectively. The purpose of an information reconciliation protocol is to 
transform x and y into a pair of fully correlated strings, while leaking only 
a minimum amount of information (on the final strings) to an eavesdropper 
(see, e.g., jBHMj). 

6.3.1 Definition 

We focus on information reconciliation schemes where Alice keeps her input 
value x and where Bob outputs a guess x for x. Hence, technically, an 
information reconciliation protocol IR is a two-party protocol where Alice 
and Bob take classical inputs x £ X and y G y, respectively, and where Bob 
outputs a classical value x £ X or aborts. 

Definition 6.3.1. Let P X y € V{X x y) and let e > 0. We say that an 
information reconciliation protocol IR is e-secure on Pxy if> for inputs x 
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and y chosen according to Pxy, the probability that Bob's output x differs 
from Alice's input x is at most e, i.e., Pr[x 7^ x] < e. 9 

Moreover, we say that IR is e-fully secure if it is e-secure on all probability 
distributions P X y G V{X x y). 

The communication transcript of an information reconciliation scheme 
IR generally contains useful information on Alice and Bob's vàlues. If the 
communication channel is insecure, this information might be leaked to Eve. 
Clearly, in the context of key agreement, one is interested in information 
reconciliation schemes for which this leakage is minimal. 

Definition 6.3.2. Let IR be an information reconciliation protocol where 
Alice and Bob take inputs from X and y, respectively. Let C be the set of all 
possible communication transcripts c and let Pc\x=x,Y=y ^ e ^ ne distribution 
of the transcripts c G C conditioned on inputs (x,y) G X x y. Then the 
leakage of I R is 

leak| R := log \C\ - inf H min (P c \ x = x ,Y=y) > 

x >y 

where the infimum ranges over all (x, y) G X x y. 

Note that the leakage is independent of the actual distribution Pxy of 
Alice and Bob's vàlues. 

6.3.2 Information reconciliation with minimum leakage 

A typical information reconciliation protocol is the protocol I -p defined 
by Fig. 16.21 It is a so-called one-way protocol where only Alice sends mes- 
sages to Bob. We show that the leakage of this protocol, for appropriately 
chosen parameters, is roughly bounded by the max-entropy of X given Y 
(Lemma 16.3.3(1 . This statement can be extended to smooth max-entropy 
(Lemma l6.3.4|) . which turns out to be optimal, i.e., the minimum leakage of 
an information reconciliation protocol for Pxy is exactly characterized by 
ií^ ax (A|y). In particular, for the special case where the input is chosen ac- 
cording to a product distribution, we get an asymptotic expression in terms 
of Shannon entropy ÍCorollarv I6.3.5|) . which corresponds to the Shannon 
coding theorem. 

Lemma 6.3.3. Let Pxy G V(X x y) and let e > 0. Then the information 
reconciliation protocol I R^ j. defined by Fig. lò'.éü for an appropriate choice 

of the parameters X and T ', is 0-robust on Pxy, £-f u lly secure, and has 
leakage 

leak| R ^ < H mSíX (PxY\Y) + log(2/e) . 

9 We denote by Pr[£ 7^ x] the probability of the event that the protocol does not abort 
and x is different from x. 
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Fig. 6.2 Information reconciliation protocol IR^^. 
Parameters: 

X: family of sets X y Ç X parameterized by y G y. 
T: family of hash functions from X to Z. 

Alice Bob 

input: x £ X input: y G y 



z:=f(x) hl . V 



{xeX y : f(x) = z} 

if P ^0 

then x Er V 
else abort 

output x 



Proof. Let k := \H max (PxY\Y) + log(l/e)] and let T be a two-universal 
family of hash functions from X to Z := {0, l} k (which exists according to 
Lemma [5.4.2)1 . Furthermore, let X = {X y } y< =.y be the family of sets defined 
by X y := supp(P^-), where supp(P^) denotes the support of the function 
P| : x \-+ P X y(x,y). 

For any pair of inputs x and y and for any communication (/, z) = 
(/> f( x )) computed by Alice, Bob can only output a wrong value if the set 
X y = supp(P|-) contains an element x / x such that f(x) = z. Because / is 
chosen uniformly at random from the family of two-universal hash functions 
T ', we have Prj[/(i) = /(x)] < t^t = 2~ k , for any x / x. Hence, by the 
union bound, for any fixed (x, y) G X x y, 

Pr[x ^ x] < Pr[3x G supp(P^) : ï/i A f{x) = f{x)\ 

< |supp(P|)| -2~ k . 

Because, by Remark lM.1.41 maxy | supp(Py)| = 2 Hma -^ PxY ^ Y \ we conclude 
Pr r^ ^ x ] < 2 Hmax (Pxy\y)-\h max(-Pxy |y)+log(l/e)] <^ g 

that is, IR^jp is e-secure on any probability distribution. 

Moreover, if (x,y) is chosen according to the distribution Pxy, then, 
clearly, x is always contained in X y = supp(P^-), that is, Bob never aborts. 
This proves that the protocol is 0-robust. 
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Since / is chosen uniformly at random and independently of x from 
the family of hash-functions J-, all nonzero probabilities of the distribution 
Pc\x=x are equal to t^t. Hence, using the fact that C = T x Z, 

leak| R = log \C\ - ïnï H min (P c \ x=x ) 

= log \T%Z\- log \T\ < log \Z\ = k . 
The claimed bound on the leakage then follows by the definition of k. □ 

Lemma 6.3.4. Let Pxy £ V(X x y) and let e,e' > 0. Then the information 
reconciliation protocol I R^, j. defined by Fig. \6.°A for an appropríate choice 

of the parameters X and T , is e' -robust on Pxy, £-f u lfy secure, and has 
leakage 

leak| R ^ < H^ X (P XY \Y) + log(2/e) . 
Proof. For any v > there exists Pxy £ 'PiTLx <S> T~íy) such that 

\\Pxy -Pxy Id <e' (6.3) 

and 

H^{Pxy\Y) < H s max (P XY \Y) + v . (6.4) 
According to Lemma I6.3.3( there exists X and T such that I j. is e-fully 
secure, 0-robust on Pxy, and has leakage 

leakiR^^ < H miíX {PxY\Y) +log(2/e) . 

The stated bound on the leakage follows immediately from this inequality 
and (|6.4[) . Moreover, the bound on the robustness is a direct consequence 
of the bound (|6.3j) and the fact that the protocol is 0-robust on Pxy- D 

Corollary 6.3.5. Let Pxy £ V(Xxy) be a probabílíty distribution, let n > 
0, and let e > 0. Then there exists an information reconciliation protocol 
IR which is e-fully secure, e-robust on the product distribution Px^y™ '■= 
{Pxy) 71 , anà has leakage 



-leak| R < H(X\Y) + J 31 ° g(2/g) log(|AT| + 3) . 
n V n 

Proof. Using Lemma 16.3.41 (with e = e') and Theorem I3.3.4[ we find 



ileak IR < E ( X\Y) + + J^ÉM log( |;,| + 3) . 

n n V n 

Let a := los ^^ and 6 := log(| A*| +3). The last two terms on the right hand 
side of this inequality are then upper bounded by a + y/2ab < (| + y/2a)b, 
which holds because b > 2. We can assume without loss of generality that 
3a < 1 (otherwise, the statement is trivial). Then | + \/2a < \/3o. The 
last two terms in the above inequality are thus bounded by \^3ab, which 
concludes the proof. □ 
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Fig. 6.3 Classical post-processing protocol PPir,^". 
Parameters: 

IR: information reconciliation protocol. 

T: family of hash functions from X to {0, 1} . 



Alice Bob 

input: x G X input: y G y 



IR 

. y -> s 



/ 



output := /(x) output sb := f(x) 



For practical applications, we are interested in protocols where Alice and 
Bob's computations can be done efficiently (e.g., in time that only depends 
polynomially on the length of their inputs). This is, however, not neces- 
sarily the case for the information reconciliation protocol IR^jr described 
above. While Alice's task, i.e., the evaluation of the hash function, can be 
done in polynomial time, 10 no efficient algorithm is known for the decod- 
ing operation of Bob. Nevertheless, based on a specific encoding scheme, 
one can show that there exist information reconciliation protocols which 
only require polynomial-time computations and for which the statement of 
Corollarv 16.3.51 (asymptotically) still holds (see Appendix IÜ|) . 

6.4 Classical post-processing 

Classical post-processing is used to transform an only partially secure 11 pair 
of raw keys x and y held by Alice and Bob, respectively, into a fully se- 
cure key pair. A classical post-processing protocol is thus actually a key 
distillation protocol that starts with classical randomness. 

In this section, we analyze the security of the genèric post-processing 
protocol depicted in Fig. 16.31 It consists of an information reconciliation 
subprotocol (see Section I6.3J) followed by privacy amplification (see Chap- 
ter|5J). 

10 Recall that Alice only has to evaluate a function which is randomly chosen from a 
two- universal family of functions. For most known constructions of such families (see, e.g., 
|CW79llWÜ8Ï) 1. this can be done efficiently. 

n That is, x and y are only weakly correlated and partially secret strings. 
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Lemma 6.4.1. Let IR be an ínformatíon reconciliation protocol and let J- 
be a two- univers al family of hash functions from X to {0, 1}^. Additionally, 
let pxye £ Vi^ix &> Hy <8> He) be a density operator which is classical on 
T~íx 8) Hy and let e', e" > 0. 7/ IR is e'-secure on the distributíon defined by 
Pxy and if 

i < H £ min {p XE \E) - leak| R - 21og(l/e) , 

for e := then the key distillation protocol PP\r^ defined by Fig. 16'. 51 is 
(e' + e")-secure on pxye- 

Proof. For simplicity, we assume in the following that the protocol IR is one- 
way. It is straightforward to generalize this argument to arbitrary protocols. 

Note first that the keys sa and sb generated by Alice and Bob can only 
differ if x ^ x. Hence, because the information reconciliation protocol IR is 
e'-secure on the distribution defined by pxy, the classical post-processing 
protocol PPir,^- is e'-correct on pxye- According to Eemark 16.1.31 it thus 
remains to show that Alice's key is e"-secret. 

For this, we use the result on the security of privacy amplification by 
two-universal hashing presented in Chapter[üJ Because / is chosen from a 
two-universal family of hash functions, Corollary 15.6.11 implies that the key 
computed by Alice is e"-secret if 

H £ min (p XC >E\C'E) > 21og(l/e)+i , (6.5) 

where P X xce := (^' R ® ^e)(pxye) is the operator describing the situation 
after the execution of the information reconciliation protocol IR (where C 
is the transcript of IR). It thus suffices to verify that the bound on the 
entropy Q6.5|) holds. 

Using the chain rule (cf. (j3.21j) of Theorem 1.3.2. 12 j) . the left hand side 
of Q6.5[) can be bounded by 

HL·xi{pxce\C E) > H^^pxceIE) - H mgx (pc) ■ 

Moreover, because the communication d is computed only from x, the con- 
ditional operators Pq, e have product form and thus (cf. (|3.22l) of Theo- 
rem E2H3) 

H Ln(Pxc>E\C'E) > H^ in (p XE \E) + H min (pc'x\px) - H max (p c >) ■ (6.6) 

Using the fact that H ma _ x (pc) = logrank^c-/) and Lemma Í3.1.81 the last 
two terms in the above expression can be bounded by 

H max (p c <) ~ H raïn {p C 'x\px) < logrank(/j c -/) - inf -ff min (pc") , 

where, for any x £ X, Pq, is the normalized conditional operator defined by 
pcx- Hence, by the definition of leakage, 

-ffmax(pc) - H min (p C 'x\px) < leak !R . 
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Combining this with Q6.6|) . we find 

HL·n(Pxc'E\C'E) > H^ {pxe\E) - leak| R , 

which, by the assumption on the length of the final key £, implies (|6.5|) and 
thus concludes the proof. □ 

6.5 Quantum key distillation 

We are now ready to describe and analyze a general quantum key distillation 
protocol, which uses parameter estimation and classical post-processing as 
discussed above. (For a high-level description of the content of this section, 
we refer to Section IT!ïïl ) 

6.5.1 Description of the protocol 

Consider the quantum key distillation protocol QKDpe,bi,pp depicted in 
Fig. 16.41 Alice and Bob take inputs from product spaces H® N and Hg N , 
respectively. Then, they subsequently run the following subprotocols (see 
also Table loTTj) : 

• Random permutation of the subsystems: Alice and Bob reorder their 
subsystems according to a commonly chosen random permutation n. 

• Parameter estimation (PE): Alice and Bob sacrifice m subsystems to 
perforin some statistical checks. We assume that they do this using a 
protocol of the form PE^ q (see Fig. 16. ip . which is characterized by a 
POVM M. = {M w } me w on 7ía ®1Í-b and a set Q of vàlid frequency 
distributions on W. 

• Block-wise measurement and processing (Bl®™): In order to obtain 
classical data, Alice and Bob apply a measurement to the remaining 
b ■ n subsystems, possibly followed by some further processing (e.g., 
advantage distillation). We assume here that Alice and Bob group 
their b ■ n subsystems in n blocks of size ò and then process each of 
these blocks independently, according to some subprotocol, denoted 
Bl. Each application of Bl to a block l·lf <g> H% b results in a pair of 
classical outputs Xi and yi. 

• Classical post-processing (PP): Alice and Bob transform their classical 
strings [x\ , . . . , x n ) and (yi, . . . ,y n ) into a pair of secret keys. For 
this, they invoke a post-processing subprotocol of the form PP|R 5 jr (see 
Fig. l6.3|) . for some (arbitrary) information reconciliation scheme IR and 
a two-universal family of hash functions T for privacy amplification. 
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Fig. 6.4 Quantum key distillation protocol QKDpe 5 bi.pp- 

Parameters: 

PE: parameter estimation protocol on TL^ 71 (g) TL^ 71 . 

Bl: subprotocol on Tt® b <g) 7í B ^ > with classical output in X x y. 

PP: classical post-processing protocol on X n x y n . 

N: Number of input systems (N >bn + m) 



Alice 



input space: 7r| 



Bob 

input space: H® 



TT £r Sn 

permute subsyst. 



TT 



permute subsyst. 



n® A m 



* (^1) • • • ; *En) 
(xi, . . . , X n ) ► SA 

output SA 



PE 



PP 



n_/®m 



acc./abort 

(yi,---,y n ) 



(2/1, ■ • • j 2/n) * S B 



output ss 



Table 6.1 Subprotocols used for QKD PEiB i,pp (cf. Fig. EU- 
PE := PE MQ prot. on l·lf 71 <g> ?í| m defined by Fig. IO 

M = {M w } w€W POVM on H A ®H B 
Q set of freq. dist. on W 



Bl 



prot. on l·lf 8) Wg 6 with cl. output in X x }> 



PP := PPiR,^ prot. on X n x y n defined by Fig. ESI 

IR inf. rec. prot. on X n x y n 

T two-univ. fam. of hash func. from X n to {0, 1}* 
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Table 6.2 Security parameters for QKDpe 5 bi,pp (cf. Fig. 16.41) . 



N bn + m + k 



r f (2 log(9/e) + dim(H A g n B ) 2 ln fe) 

5' (| l og |*| + A)^Jh{r/n) + % log(18/e) 

M 2^h(r/m) + i(log(9/2e) + jwj log(§ + 1)) 

5 5' + log dïm(H A ®H B ) + l log(3/&) 



6.5.2 Robustness 

The usefulness of a key distillation protocol depends on tl·ie set of inputs for 
which it is robust, i.e., from which it can successfully distill secret keys. Ob- 
viously, the described protocol QKDpe,bi,pp is robust on all inputs for which 
none of its subprotocols PE, Bl, or PP aborts. Note that the post-processing 
PP = PPir,^- only aborts if the underlying information reconciliation scheme 
IR aborts. 

Typically, the subprotocols Bl and IR are chosen in such a way that they 
are robust on any of the input states accepted by PE. In this case, the 
key distillation protocol QKDpe^i.pp is successful whenever it starts with an 
input for which PE is robust. According to the discussion in Section r6.21 the 
protocol PE = PE_A/í 5 g is robust on product states ct®^ if oab is contained 
in the set Tj%q defined by (|6.2[) . Consequently, QKDpe^i.pp is robust on 
all inputs of the form o~®g, for oab G q- 

6.5.3 Security 

The following is a genèric criterion for the security of QKD. 

Theorem 6.5.1. Let QKDpe,bi.pp be the quantum key distillation protocol 
defined by Fig. \6.4\ and Table \6.l\ lete,e' > 0, let 5, [i be defined by Table \6. 6 A 
and let ^j^q be defined by (|fi.l|) . Then QKDpe,bi,pp is (e + e')-fully secure 




where the entropy in the minimum is evaluated on 



°~XYE — £_ 



•Bl / ®6 \ 

XYE^A b B b E b \ ABE ' ' 



for a purification o~abe of oab- 



Proof. Let Pa n b n be any state held by Alice and Bob after they have applied 
the random permutation tt (averaged over all possible choices of 7r). Because, 
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obviously, Pa n b n ls permutation-invariant, Lemma 14 . 2 . 2 1 implies that there 
exists a purification Pa^b n e n °f Pa n b n on the symmetric subspace of (Ha® 
Hb <8> He)® N ■ We show that the remaining part of the protocol is secure on 
Pa n b n e n - This is sufficient because any density operator P a n b nè which 
has the property that taking the partial trace over Hg gives p A N b n can be 
obtained from the pure state Pa n b n e n °y a trace-preserving CPM which 
only acts on Eve's space. 

Let be the operator obtained by taking the partial 

trace (over k subsystems Ha ® Hb ® He) of p a nb n e n - ^ describes the 
joint state on the m subsystems used for parameter estimation and the b ■ n 
subsystems which are given as input to Bl® n . According to the de Finetti 
representation theorem (Theorem 14.3.2(1 this density operator is approxi- 
mated by a convex combination of density operators, where each of them 
is on the symmetric subspace along vectors \6) G TÍa ® Hb (8> Hg. More 



precisely, with e :— 



9 ' 



p Abn+m Bbn+m Ebn+m I P Abn+m gbn+m fibn+m 1 ' ^ £ 1 (6-7) 

JSi 1 

where the integral runs over the set Si := Si(Ha®Hb <8> 'He) of normalized 
vectors in Ha ® Hb <8> He and where, for any \0) G Ha <8> Hb <8> He-, 

P^^^^G^ÍSymí^^TÍB®^)^™^)^"^)) . (6.8) 

We first analyze the situation after the parameter estimation is com- 
pleted. Let í^ Bm be the CPM which maps all density operators on 
(Ha <8> Hb)®" 1 either to the scalar or 1, depending on whether the pa- 
rameter estimation protocol PE^g accepts or aborts. Moreover, define 

PA^ n B bn E N := (^A bn B bn ® Sa^B™ 1 ® ^E N ) (p Abn+m B bn + m E N ) 
|6»),PE _ f PE „ • , w \6) n 

P Abn-B bn E bn '~ \ ia A bn B bn » í i m B™ lQ-E bn )\P Abn+m Bbn+m Ebn) • 

Because of (|6.8j) . we have 

P^JU*. G 7>(Sym((H A ® H B ® H £ f , (6.9) 

for any \0) G Ha®Hb®He- Moreover, from (|6,7[) and the fact that the L\- 
distance cannot increase when applying a quantum operation ÍLemma lA.2.1|) 

we have 

p P A^>n B bn E bn ~ \ P^A bn B bn E bnV (\®^ — ^ ' (6.10) 
JSi 1 

According to Lemma 16.2.21 the parameter estimation PE^q e-securely fil- 

1 0) PE 

ters all states p A b„ B bn E bn for which \6) is not contained in the set 
:={\6)eS 1 :tr E (\e)(6\)er^ Q } . 
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We can thus restrict the integral in (|6.10|) to the set V^, thereby only losing 
terms with total weight at most e, i.e., 

P^nBbnfibn ~ / P^b'n B bn E bn V ( I ^) ) — . (6-H) 

To describe the situation after the measurement and blockwise processing 
B\ m , we define 

Px n Y n È n E m + k := {(^XYÈ^A b B b E b ^ & Íd- E m+k^(p A bn E bn E bn+m+k) 

JO) ._ (pB\ \®n ( J9),PE \ 

Px n Y n E n ' \ XYE^A b B b E b ' \" A bn B bn E bn ' ' 

Using once again the fact that the Li-distance cannot decrease under quan- 
tum operations fLemma IA,2.1|) . we conclude from (|6.11|) that 

ta-y«B« - / AynRnKIfl}) < 2e . (6.12) 
Jv 1 

According to (|6.9[) . the density operator p Ab '^ bnEbn lies in the symmetric 
subspace of the (ò-n)-fold product space (Ha^'Hb^'He)^ along \9) bn - r , 
i.e., it has product form except on r subsystems. Equivalently, we can 
view p^ b 'l BbnEbn as a density operator on the n-fold product of subsystems 
7í A b B b E b := TÍ A b ®H. B >b <g>TÍ E ò . It then has product form an all but (at most) 
r of these subsystems. That is, p Ab „ BbnEbn is contained in the symmetric 
subspace of H®£ BbEb along |6> b )^ w ~ r , where \0 b ) := \d)® b G H A b B b E b. This 
allows us to apply Theorem 14.4.11 in order to bound the entropy of the 
symmetric states p Xn y nE „- With the definition 

J8) ._cBI / 06 \ 

XYE ' XYE^A b B b E b \ ABE' ' 

where ctabe '■= \S){8\, we obtain 



Hl^pll^m > n(H(a%) - H(af) - 5') . 

Consequently, using (|6.12|) together with the inequalities (|3. 19|) and (|3.2üf) 
of Theorem 

H 3 J in (p x ^\E n ) > n | min {H[a%) - H(af) - 6') . 

Moreover, by the chain rule for smooth min-entropy (cf. (|3,21|) of Theo- 
rem EHH 

n uàn\Px n E n E m + k \ £j ^ ) 

> n min^H{a^ E ) - H(af) - 6') - 2H max (p Em+k ) . 
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Finally, we use Lemma 16.4.11 which provides a criterion on the maxi- 
mum length i such that the secret key computed by the post-processing 
subprotocol PP is (e + e')-secure, 

£<n min {H(a%) - H (af) - ó') - 2H max (p Em+k ) - leak, R - 2 log(3/2e) . 

The assertion then follows from 

H max (p E ™+k) <(m + k) logdim^A ® H B ) , 

the fact that \9) £ V M if and only if the trace o~ab of oabe '■= \0)(0\ is 
contained in the set r^g, and the definition of ó (cf. Table l6~2|) . □ 

Note that the protocol QKDpe,bi,pp takes as input N subsystems and 
generates a key of a certain fixed length i. In order to make asymptotic 
statements, we need to consider a family {QKDpE B! P p}jveN of such pro- 
tocols, where, for any iV G N, the corresponding protocol takes N input 
systems and generates a key of length £(N). The rate of the protocol family 
is then defined by 

v W 

rate := hm . 

N^oo N 

Corollary 6.5.2. Let 5,fi>0, a protocol Bl acting on blocks of length b, a 
POVM Ai = {M w } wg w, and a set Q of probability distributions on W be 
fixed, and let be the set defined by (|6.1|) . Then there exist 7 > and 

parameters n = n(N),m = m(N),£ = £(N) such that the class of protocols 
QKDp E B | p P (parameterized by N G N) defined by Fig. \b\J\ and Table Xü~f\ has 
rate 

rate=- min H(X\É) - H(X\Y) - d , 
where the entropies in the minímum are evaluated on 

a XYE — XYE^A b B b E b \ ABE ' ' 

for a purification o~abe °f o~AB- Moreover, for any N > ; the protocol 
QKD PE B | P p is e~ lN -fully secure. 

Proof. The statement follows directly from Theorem 16.5.11 combined with 
Corollary HTÏÏ31 □ 



6.6 Quantum key distribution 

As described in Section II. 2| one can think of a quantum key distribution 
(QKD) protocol as a two-step proccss where Alicc and Bob first use the 
quantum channel to distribute entanglement and then apply a quantum key 
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distillation scheme to generate the final key pair. To prové security of a 
QKD protocol, it thus sufnces to verify that the underlying key distilla- 
tion protocol is secure on any input. Hence, the security results for key 
distillation protocols derived in the previous section (Theorem 16.5.11 and 
Corollarv lfí.5.2j) directly apply to QKD protocols. 

We can, however, further improve these results by taking into account 
that the way Alice and Bob use the quantum channel in the first step im- 
poses some additional restrictions on the possible inputs to the distillation 
protocol. For example, if Alice locally prepares entangled states and then 
sends parts of them to Bob (note that this is actually the case for most QKD 
protocols, viewed as entanglement-based schemes), it is impossible for the 
adversary to tamper with the part belonging to Alice. Formally, this means 
that the partial state on Alice's subsystem is independent of Eve's attack. 

Using this observation, we can restrict the set of states oab (as 

defined by (|6.1|) ) over which the minimum is taken in the criterion of Theo- 
rem inS^aiid Corollarv ln.5.21 In fact, it follows directly from Remar k 14 .11 i M 
that it sumces to consider states oab such that cja = ^bÍPAb) is fixed. 



Chapter 7 

Examples 



To illustrate the general results of the previous chapter, we analyze cer- 
tain concrete QKD protocols. We first specialize the formula for the rate 
(cf. Corollarv I6.5.2f) to protocols based on two-level quantum systems (Sec- 
tion l7,l|) . Then, as an example, we analyze different variants of the six-state 
protocol and compute explícit vàlues for their rates (Section l7.2|) . 

7.1 Protocols based on two-level systems 

A large class of QKD protocols, including the well-known BB84 protocol or 
the six-state protocol, are based on an encoding of binary classical vàlues 
using the state of a two-level quantum system, such as the the spin of a 
photon. For the corresponding key distillation protocol (see Fig. I6.4|) . this 
means that Alice and Bob take inputs from (products of) two-dimensional 
Hilbert spaces on which they apply binary measurements. In the following, 
we analyze different variants of such protocols. 

7.1.1 One-way protocols 

We start with a bàsic key distillation protocol which only uses informa- 
tion reconciliation and privacy amplification (as described in SectionE3l to 
transform the raw key pair into a pair of secret keys. More precisely, after 
the measurement of their subsystems, Alice and Bob immediately invoke 
an information reconciliation protocol (e.g., the protocol IR^jr depicted in 
Fig. l6.2|) such that Bob can compute a guess of Alice's vàlues; the final key is 
then obtained by two-universal hashing. Because this post-processing only 
requires communication from Alice to Bob, such protocols are also called 
one-way key distillation protocols. 1 

1 Note, however, that bidirectional communication is always needed for the parameter 
estimation step. 
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Clearly, the one-way key distillation protocol described above is a special 
case of the general protocol QKDpe,bi,pp depicted in Fig 16. 4| where Bl := 
Meas is the subprotocol describing the measurement operation of Alice and 
Bob. Additionally, assume that the parameter estimation subprotocol PE 
is the protocol PE^q depicted in Fig. 16.11 where Ai is a POVM and Q is 
the set of statistics for which the protocol does not abort. We can then use 
Cor ollarv 16 . 5 . 2 1 to compute the rate of the protocol, that is, 

rate= min H(X\E) - H(X\Y) . (7.1) 

Here, the minimum ranges over the set 

r := {a AB : P^ B E Q) (7.2) 

of all density operators oab on the 2 x 2-dimensional Hilbert space TCa^TÍ-b 
such that the measurement with respect to M gives a probability distribu- 
tion P^ B which is contained in the set Q. Moreover, the von Neumann (or 
Shannon) entropies H(X\E) and H{X\Y) are evaluated for the operators 

where ctabe is a purification of oab- 

Let {(0)^4, |1)a} and {|0)b, \1)b} be the bases that Alice and Bob use 
for the measurement Meas. 2 Lemma 17.1.11 below provides an explicit lower 
bound on the entropy difference on the right hand side of l|7.1j) as a function 
of oabe- The bound only depends on the diagonal vàlues of oab with 
respect to the Bell basis, which is defined by the vectors 

l*o> 

l*2> 
1*3) 

where \x,y) := \x)a <S> \u)b- 

Lemma 7.1.1. Let both TÍa andTÍB be two-dimensional Hilbert spaces, let 
&ABE £ 'P(7ía®'Hb®'He) be a density operator, and letoxYE be obtained 

2 Meas describes the measurement that generates the data used for the computation of 
the final key. It might be different from the measurement M which is used for parameter 
estimation. 
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from oab E by applying orthonormal measurements on Ha and H b ■ Then 

H(X\E) - H(X\Y) 

> 1 - (A + Ai)/i(-^— ) - (A 2 + \ 3 )h(-^—) - h(X + Ai) , 

Ao + Ai A2 + A3 

where Aj := (<í>i | ct^^b | ^í) o,re the diagonal vàlues of oab with respect to the 
Bell basis (defined relative to the measurement basis). 

Proof. Let V be the CPM defined by 

V(a AB ):=\ Y, r® 2 °ABT® 2 , 
Te{id,a x ,(Ty,a z } 

where a x ,a y ,a z are the Pauli operators 

°* ■■= (S 0) a y '= (< 7) := (i -1) ' (7 - 3) 

and let òabe be a purification of à A B '•= T^ÍPAb)- Moreover, let òabe be 
an arbitrary purification of oab with auxiliary system He and define 

cíxyE := (SxyLab ^ ^e)(òabe) ■ 
A straightforward calculation shows that the operator òab has the form 

3 

òab = J^Ail^K^I , 

i=0 

i.e., it is diagonal with respect to the Bell basis. Moreover, because T> com- 
mutes with the measurement operation on Ha ®Hb, it is easy to verify 
that the entropy H(X\Y) evaluated for oxy is upper bounded by the corre- 
sponding entropy for òxy- Similarly, because òabe is a purification of òab, 
the entropy H(X\E) evaluated for &xe is lower bounded by the entropy of 
àxE- It thus suffices to show that the inequality of the lemma holds for the 
operator òxye, which is obtained from the diagonal operator gab- 

Let \ei)i be an orthonormal basis of a 4-dimensional Hilbert space He- 
Then the operator ò A be ■= |*)(^| G V{H A ®H B ® He) defined by 

I*) : =5Z V*Ï\®í)ab ® \ei) E 
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l/o,o) := J y|e ) + J y|ei) 

: = \Zyl e o) - \Zyl ei ) 
l/o,i) := ^yh) + \/yl e 3) 

|/i,o) := ^y |e 2 ) - Wy |e 3 ) , 
the state l^) can be rewritten as 

1*) = J2\ x >y)® l/*,v> • 

Because the operator ò"xyB is obtained from cta_b_e by orthonormal mea- 
surements on TÍa and we conclude 



= ^ |a?> <ar] (g> (8) ér 



X . I) 

E 



XA) 



where à x / := \L· y ){L· y \. 



E -~ \Jx,y/\Jx,y\ 

Using this representation of the operator dxYE-, it is is easy to see that 



H(g X e) = 1 + h(X + X 



ff(à E ) = /i(A + Ai) + (A + Xi)h(— ±—) + (A 2 + \ 3 )h(—±—) 

Ao + Ai A2 + A3 

iï(X|y) = h{X + Ai) , 
from which the assertion follows. □ 

Using Lemma l7,l.ll we conclude that the above described one-way pro- 
tocol can generate secret-key bits at rate 

rate > min 1 — (Ao + Xi)h(- — ^° ) 

(A ,...,A 3 )Gdiag(r) V A + Ai 7 

- (A 2 + X 3 )h(—^—) - h(X + Ai) , (7.4) 
A2 + A3 

where diag(r) denotes the 4-tuples of diagonal entries (relative to the Bell 
basis) of the operators oab € T, for T defined by (|7.2|) . 
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7.1.2 One-way protocols with noisy preprocessing 

The efficiency of the bàsic QKD protocol described in Section 17.1.11 can 
be increased in different ways. We consider an extension of the protocol 
where, before starting with information reconciliation, Alice applies some 
local preprocessing operation to her raw key. A very simple — but surpris- 
ingly useful — variant of preprocessing is to add noise, i.e., Alice flips each 
of her bits independently with some probability q. In the following, we call 
this noisy preprocessing. 

To compute the rate of the one-way protocol enhanced with this type of 
preprocessing, we need a generalization of Lemma 17.1.11 

Lemma 7.1.2. Let both Ha and TÍb be two-dimensional Hilbert spaces, 
let oabe G V(Tí.a <8> TÍb <8> 'He) be a density operator, and let oxye be 
obtained from a abe by applying orthonormal measurements onTÍA and li. b 
where, additionally, the outcome of the measurement on TÍa is flipped with 
probability q G [0, 1] . Then 

H(X\E) - H(X\Y) 

> 1 - (A + Xi){h(a) - h(a, q)) - (A 2 + A 3 ) (h(J3) - h((3, q)) 

-h((X + Xi)q+(X 2 + X 3 )(l-q)) , 

where X { := ($í\<tab\®í) , & := j^XI' $ '■= x^> and 

h(p,q) := ± i y/1 - 16p(l - p)q(l - q)) . 

Proof. The statement follows by a straightforward extension of the proof of 
Lemma 17.1.11 □ 

Similarly to formula (|7.4[) . the rate of the one-way protocol with noisy 
preprocessing — where Alice additionally flips her bits with probability q — is 
given by the expression provided by Lemma 17.1.21 minimized over all 4- 
tuples (Ao, . . . , A3) G diag(r). It turns out that this rate is generally larger 
than the rate of the corresponding one-way protocol without preprocessing 
(see Section 1731 below) . 

7.1.3 Protocols with advantage distillation 

To further increase the efficiency of the key distillation protocol described 
above, one might insert an additional advantage distillation step after the 
measurement Meas, i.e., before the classical one-way post-processing. 3 Its 
purpose is to identify subsets of highly correlated bit pairs such as to separate 
these from only weakly correlated information. 

3 The concept of advantage distillation has first been introduced in a purely classical 
context Mau!).^. where a secret key is generated from some predistributed correlated data. 
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Fig. 7.1 Advantage distillation protocol AD b . 



Parameters: 
b: block length 

Alice Bob 

input: (xi,...,x b ) input: (y x , . . . , y b ) 



r G R {0,1} 
( Cl ,...,c b ): = 

(xi®r,...,x b ®r) L·LILLU b > , ïï (y t ® c x ,. . . ,y b ® c b ) 

£{0,1} 
then acc := true 

acc 



if acc if acc 

then output x\ then output y\ 

else output A else output A 



A typical advantage distillation protocol is depicted in Fig. 17.11 Alice 
and Bob split their bitstrings into blocks (x±, . . . , x b ) and (y±, . . . , y b ) of size 
b. Then, depending on a randomly chosen binary value r, Alice announces 
to Bob either (x\, . . . , x b ) or (x\®l, . . . , x b ®l) (where © denotes the bitwise 
xor). Bob compares this information with his block (yi, . . . , y b ) and accepts 
if it either differs in none or in all positions, i.e., if the difference equals 
either := (0, . . . , 0) or 1 := (1, . . . , 1). In this case, Alice and Bob both 
keep the first bit of their initial string. Otherwise, they output some dummy 
symbol A. 4 Obviously, if the error probability per bit (i.e., the error rate 
of the channel) is e then the probability p S ucc that advantage distillation 
on a block of length b is successful (i.e., Alice and Bob keep their bit) is 
Psucc = e b + (1 - ef. 

Let us now consider the general protocol QKDpe bi,pp where the subpro- 
tocol Bl consists of ò binary measurements Meas of Alice and Bob followed 
by the advantage distillation protocol AD^ described in Fig. 17. \\ i.e., 

^XYÉ^A b B b E b = ^XYÉ^X b Y b E b ° Í^XyL·ab ® ide)® 6 (7.5) 



4 As suggested in IMau93l . the efRciency of this advantage distillation protocol is further 
increased if Alice and Bob, instead of acting on large blocks at once, iteratively repeat the 
described protocol step on very small blocks (consisting of only 2 or 3 bits). 
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It is easy to see that the subprotocol AD;, commutes with the measurement 
Meas, that is, (|7.5|) can be rewritten as 

°XYE^A b B b E b ~ \\°XYi-ABJ ^ m EJ ABE^A b B b E b ' 

Moreover, a straightforward computation 5 shows that, if oab has diagonal 
entries Ao, • • • , A3 with respect to the Bell basis then, with probability 

ÍW := (A + Ai) 6 + (A 2 + A3) 6 , 

the advantage distillation AD& is successful and the operation £^^ A b B b 
induced by ADj, (conditioned on the event that it is successful) maps <r®^ 
to an operator òab with diagonal entries 

Ao 

Ai 

A 2 

À3 



(Ao 


+ Ai) + (Ao 


-Ai) 6 




2psucc 




(Ao 


+ Ai) b -(A 


-Ai) 6 




2psucc 




(A 2 


+ A 3 ) 6 + (A 2 


-A 3 ) 6 




2psucc 




(A 2 


+ A 3 ) 6 -(A 2 


-A 3 ) 6 


2psucc 



Inserting these coeficients into the expressions provided by Lemma l7.1.1l 
gives a bound on the entropy difference which can be inserted into the for- 
mula for the rate (|7.1|) . 6 We conclude that the key distillation protocol 
enhanced with advantage distillation on blocks of length b can generate key 
bits at rate 

rate > — min Psucc ■ (l-(Ao + AiW , % 
b (A ,...,A 3 )ediag(r) v a + Ai 

- (À 2 + X 3 )h{ T ^ T -) - h(\o + Ai)) , (7.6) 
A 2 + A3 

where T is the set defined by (|7,2j) . Note that, in the special case where the 
block size b equals 1, the advantage distillation is trivial, that is, = Aj, 
and (|7.6|) reduces to (|7.4j) . 

Similarly to the discussion in Section f7.1.2( one might enhance the pro- 
tocol with noisy preprocessing on Alice's side, i.e., Alice flips her bits with 
some probability q after the advantage distillation step. The rate is then 
given by a formula similar to (|7.fij) . where the expression in the minimum is 

5 For this computation, it is convenient to use the mapping V defined above, which 
allows to restrict the argument to the special case where gab is Bell diagonal. 

6 Note that, conditioned on the event that ADb is not successful (i.e., Alice and Bob's 
outputs are A), the entropy difference is zero. 
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replaced by the bound on the entropy difference provided by Lemma 17. 1.21 
evaluated for the coeficients Aj. 

Note that, as the block size b increases, the coefficients A2 and À3 ap- 
proach zero, while Ao and Ai both tend to ^. To get an approximation, it is 
thus sufhcient to evaluate the expression of Lemma 17.1.21 up to small orders 
in A2 and A3. 



Lemma 7.1.3. Let Ao, • • • A3 and o~xyè ^ e defined as in Lemma \7.1.fy where 
A = (1 - S)^, Ai = (1 - 5)^, A 2 = A 3 = | for some S,e>0. Then 



H(X\E) - H(X\Y) 
In particular, this quantity is positive if e 2 > 66. 



Proof. The assertion follows immediately from a series expansion of the 
bound provided by Lemma IV. 1 .21 about e = and 5 = 0. □ 

Lemma 17. 1 . 31 can be used to compute a bound on the rate of the protocol 
described above (advantage distillation followed by noisy preprocessing). 
Under the assumption that the coefficients Ao, • • • , A3 are of the form 

Ao = (l-í)i±f 

A 1 = (l-«5)^ 



A2 — A3 



6 

2 ' 

for some small 5, e > 0, we get, analogously to ()7.6|) . 



rate " \ (v...,Sa K( r) facc • (hT8 (1 - - 6 ^ (5 - Q) 



2 



+ 0(5 3 + e 3 + (±-q) 3 )) . (7.7) 



7.2 The six-state protocol 

To illustrate the results of Section [7.11 we apply them to different variants 
of the six-state QKD protocol, for which we explicitly compute the rate and 
the maximum tolerated channel noise. The six-state protocol is one of the 
most emcient QKD schemes based on two-level systems, that is, the rate 
at which secret key bits can be generated per channel use is relatively close 
to the theoretical maximum. On the other hand, it is not very suitable for 
practical implementations, as it requires devices for preparing and measuring 
two-level quantum systems with respect to six different states. 
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7.2.1 Description 

Instead of describing the actual six-state QKD protocol, we specify the un- 
derlying key distillation scheme: Alice and Bob take as input entangled 
two-level systems and measure each of them using at random one of three 
mutually unbiased bases, which results in a pair of raw keys. 7 Usually, these 
are the rectilínear or z-basis {|0) 2 , |1) 2 }, the diagonal or x-basis {\0) x , 
and the circular or y-basis {\0} y , |l)y}), which are related by 

10), = ^(|0) 2 + |l) 2 ) \0)y = ±(\0) z+i \l) z ) 

= 73(|0) 2 -|1) 2 ) \l)y = -L(|0) 2 -Í|1) Z ) . 

Next, in a sífting step, Alice and Bob compare their choices of bases and 
discard all outcomes for which these do not agree. Note that, if Alice and 
Bob choose one of the bases with probability almost one, they only have to 
discard a small fraction of their raw keys (see discussion in Section ll.2jl . 

In the parameter estimation step, Alice and Bob compare the bit vàlues 
of their raw keys for a small fraction of randomly chosen positions. They 
abort if the error rate e — i.e., the fraction of positions for which their bits 
differ — is larger than some threshold. For the following analysis, we as- 
sume that Alice and Bob additionally check whether the error e is equally 
distributed among the different choices of the measurement bases and sym- 
metric under bitflips. 

Finally, Alice and Bob use the remaining part of their raw key to generate 
a pair of secret keys. For this, they might invoke different variants of ad- 
vantage distillation and one-way post-processing subprotocols, as described 
in Section 1741 

7.2.2 Analysis 

To compute the rate of the six-state protocol (for different variants of the 
post-processing) we use the formulas derived in Section 17,11 The set V, as 
defined by (|7.2|) . depends on the error rate e. For any fixed e, we get six 
conditions on the operators oab contained in T, namely 

((61», ® (b'\ u )a AB (\b) u ® |ò%) = | , (7.8) 

for any u £ {x, y, z} and b, b' E {0, 1} with b ^ b' . It is easy to verify that 
the only density operator that satisfies these equalities is Bell-diagonal and 
has eigenvalues Ao = 1 — Ai = A2 = A3 = %. T is thus the set of all 

7 Because each of the three bases consists of two orthonormal vectors, the information 
is encoded into six different states, which explains the name of the protocol. 
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density operators of the form (with respect to the Bell basis) 

















e 












&AB = 



2 







e 



2 



V o 











1/ 



for any e > below some threshold. 
One-way six-state protocol 

In a bàsic version of the six-state QKD protocol, Alice and Bob apply post- 
processing (i.e., information reconciliation followed by privacy amplification) 
directly to their measured data, as described in Section 17.1.11 The rate of 
this protocol can be computed using (|7.4j) where, according to the above 
discussion, Ào = 1 — tt an d Ai = A2 = A3 = §. Plot l7.1l shows the result of a 
numerical evaluation of this formula. In particular, the maximum tolerated 
channel noise for which the key rate is nonzero is 12.6%. 

Next, we consider the one-way six-state protocol enhanced with addi- 
tional noisy preprocessing as described in Section 17.1.21 That is, before 
the information reconciliation step, Alice applies random bitflips with prob- 
ability q to her measurement outcomes. The rate of this protocol can be 
computed with Lemma f7.1.2l A little bit surprisingly, it turns out that noisy 
preprocessing increases its performance (see Plot I7.2JI . As shown in Plot l7..31 
the optimal value of the bit-flip probability q depends on the error rate of 
the channel e. The protocol can tolerate errors up to 14.1% and thus beats 
the bàsic version (without noisy preprocessing) described above. Note that 
this result also improves on the previously best known lower bound for the 
maximum error tolerance of the six-state protocol with one-way processing, 
which was 12.7% |Lo00j . (Similarly, the same preprocessing can be applied 
to the BB84 protocol, in which case we get an error tolerance of 12.4%, 
compared to the best known value of 11.0% |SP00j .) 

Six-state protocol with advantage distillation 

The performance of the six-state protocol is increased if Alice and Bob addi- 
tionally use advantage distillation as described in Section l7.1.3l For example, 
Alice and Bob might invoke the protocol AD;, depicted in Fig. 17.11 to pro- 
cess their measurement outcomes before the information reconciliation and 
privacy amplification step. The rate of the protocol is then given by (|7.6|) , 
Because Xq = 1 — ^ and Ai = A2 = A3 = |, the coefhcients \ occurring in 



CHAPTER 7. EXAMPLES 116 



Plot 7.1 Rate of the bàsic one-way six-state protocol (without noisy pre- 
processing) as a function of the error rate e. 




0.02 0.04 0.06 0.08 0.1 0.12 0.1 z 



Plot 7.2 Rate of the one-way six-state protocol with noisy preprocessing 
(where Alice flips her bits with probability q as depicted in Plot 17. M|) . 
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Plot 7.3 Optimal value of the bit-flip probability q for the noisy prepro- 
cessing used in the one-way six-state protocol. 

q 

°· 5 t r 
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Plot 7.4 Rate of the six-state protocol with advantage distillation on blocks 
of length 4. 

rate 




0.05 0.1 0.15 0.2 0.25 0.3 



this formula are 



Ai 



(1- ef + {l-2ef 
(l-e) b -(l-2e) í 



2 Ps 

b 



As 



2 Pi 



suec 



where p SU cc = (1 — e) b + e b . Plot 17.41 shows the result of this computation 
for a block size of b = 4. 

Finally, we have a look at an extended protocol which combines ad- 
vantage distillation and noisy preprocessing. That is, after the advantage 
distillation AD;,, Alice flips her bits with probability q (see Plot, I7.5[) . For 
large block sizes ò, the rate of the protocol is given by (|7.7j) . for 



e b 



1 - e) b + e b 
1 - 2e- 



1 

In particular, for b approaching infinity, the secret-key rate is positive if (see 
Lemma IT. 1 .H|l 

l-2e\2fc e b 
> 6- 



1 - e / ~ (1 - e) b + e b ' 
Some simple analysis shows that this inequality is satisfied (for large b) if 
e < \ — ~ 0.276. We conclude that the protocol can tolerate errors up 
to 27.6%. 
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Plot 7.5 Rate of the six-state protocol with advantage distillation (on blocks 
of optimal length) followed by (optimal) random bit-flips on Alice's side. 




. 05 



. 15 



0.25 



Note that this value coincides with the corresponding error tolerance of 
another variant of the six-state protocol due to Chau |Cha02| and is actually 
optimal for this class of protocols (cf. |ABB + 04| ). However, compared to 
Chau's protocol, the above described variant of the six-state protocol is 
simpler 8 and has a higher key rate. 



Instead of adding noise, Chau's protocol uses xor operations between different bits of 
the raw key. 
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Distance measures 



A.l Fidelity 

The fidelity between two (not necessarily normalized) states p, p' G V(7ï) is 
defined by 



F(p,p') := tr^ pV2 p y/2 . 

In particular, if p = IV*) (V'l an d p' = IV , ')(V ;/ | are pure states, 

F(p, / /) = I(V#'>I . 
Remark A.l.l. For any a, j3 € M + , 

F(ap,Ppf) = y/a/3F(p,pf) . 
Fidelity of purifications 

Uhlmann's theorem states that the fidelity between two operators is equal 
to the maximum fidelity of their purifications. 

Theorem A.1.2 (Uhlmann). Let p, p' G V(H) and let |V'}(V'I be a purifi- 
cation of p. Then 

F(p,p')= max . F(|V>>(V'|,|V''><V''I) 
\ip'){ip'\ 

where the maximum is taken over all purifications |V ,/ )(V , 'I °f p' ■ 

Proof. The assertion follows directly from the corresponding statement for 
normalized density operators (see, e.g., Theorem 9.4 in NCOO ) and Re- 
mark EXT] □ 

Remark A.l. 3. Because the fidelity F(\ip){ip\,\ip'){ip'\) does not depend 
on the phase of the vectors, the vector \tp') which maximizes the expres- 
sion of Theorem IA.1.21 can always be chosen such that (ip\ip') is real and 
nonnegative. 
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Fidelity and quantum operations 

The fidelity between two density operators is equal to the minimum fidelity 
between the distributions of the outcomes resulting from a measurement. 

Lemma A.1.4. Let p,p' £ V{H). Then 

F(p,p') = min F(P Z ,P' Z ) 

{M z } z 

where the minimum ranges over all POVMs {M z } z ^z on 7~L an d where 
Pz,P' z S V{Z) are defined by P z (z) = tr(pM z ) and P' z {z) = ti(p'M z ), 
respectively. 

Proof. The statement follows directly from the corresponding statement 
for normalized density operators (cf. formula (9.74) in ^NCOO ) and Re- 
mark lA.l.ll □ 

The fidelity between two operators cannot decrease when applying the 
same quantum operation to both of them. 

Lemma A.1.5. Let p,p' £ ViTí) and letE be a trace-preservíng CPM onTi. 
Then 

F(£(p),£(p'))>F(p,p') . 
Proof. See Theorem 9.6 of |NC00j and Remark íOTI □ 



A.2 Li-distance 

Li-distance and quantum operations 

The Li-distance between two density operators cannot increase when ap- 
plying the same (trace-preserving) quantum operation to both of them. 

Lemma A.2.1. Let p,p' G V(H) and let £ be a CPM such that tr(£(») < 
tr(cr) for any a G V(TÍ). Then 

I|f(p)-Í(p , )lli<llp-P / Ili· 

Proof. It suffices to show that \\£ < ||T||i, for any hermitian operator 
T. The assertion then follows with T := p — p' because £ is linear. 

For any hermitian operator S, let \\S\\oo ■= supu\ eW . i|i^)i|<i ll'S'l^)!! be 
the L^-operator norm. Note that the Loo-operator norm can equivalently 
be written as 

ll^lloo = sup tr(S<7) . 

aeV(H):tr(a)<l 
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Moreover, it is easy to see that for any hermitian operator T 

||T||i = sup |tr(5T)| . (A.l) 

Let {-Efcjfc be the family of linear operators from Tí to Tí' defined by the 
CPM £, i.e., £(a) = E k oE ] k , for any o € V(H). Moreover, let £ ] be the 
CPM defined by &{S') := J2k E í S ' E k, for any hermitian operator S' on 
Tí'. We then have the identity 

tr(£t(S» = tr(S'£(a)) . 

Hence 

11^(501100 = sup tv(£\S')a) 

aeV(H): tr(a)<l 

sup tr(S'£{a)) (A.2) 
treP(H):tt(a)<l 

< II S'H 

— II lloo > 

where the inequality holds because £{a) E V(Tí') and tr(£ (<r)) < tr(<r) = 1, 
for any a £ ViTÍ). Using (jA.lj) . this implies that 

\\£(T)\\ 1 = sup M£{T)S')\ 

S'.\\S'\\oo<l 

= sup \tv(T£\S'))\ 

S': ||5'||oo<l 

< sup ti(TS) 

S:\\S\\oo<l 

= \\T\\i , 

where the inequality follows from (|A.2|) . 

□ 

Li-distance of mixtures 

Lemma A.2. 2. Let paz o^d Paz be classical with respect to an orthonormal 
basis {\z)} z çz of Tíz cmd let {p A } z ez a>nd {p A } z <=z be the correspondíng 
conditional operators. Then 

\\PAZ ~ PAz\\ l = y^ y \\PA ~ PÍ||i • 
Proof. For any z £ Z, let {\(p^)} x( zx be an eigenbasis of p\ — p\- Then, the 
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family {\4> z x } ® \z)}^ z)eXxZ is an eigenbasis of p AZ - Paz- Hence, 

\\paz - pazI = £ EK^'i ® ^'i)(E(^ - ® i*x*D(i^> ® 1*0)1 

z'eZxex zez 

= J2J2M\p z a-p z a\€)\ 

z£Z 

□ 

Li-distance of pure operators in terms of vector distance 

The scalar product of a Hilbert space Tí induces a canonical norm, defined by 
1110)11 := V (010) > f° r an y 10) e I n particular, the norm of the difference 
between two vectors and \ip'), \\\4>) ~ IV'OIIj ^ s a me tric on ?í. 

The following lemma relates the Li-distance between two pure states 
|^)(^| and to the vector distance |||^) — \ip')\\. 

Lemma A.2.3. Let \ip), \ip') G H such that (i)\ip') is real. Then 

Proof. Define \a) := \ip) + \ip'}, \f5) := - \if/) and let a := |||a)||, b := 
|| || . We then have 

||k/>)(V| - l^'X^llli = tr||V)(^l " 1^X^11 = |tr||«><^| + |/3)<a|| . 

Moreover, because {i^W) is real, the scalar product (a\(3) = (ip\tp) — {ip'\^') 
is real as well. Using this, it is easy to verify that b\a) +a\(3) and b\a) —a\(3) 
are eigenvectors of |a}(/3| + |/3)(a| with eigenvalues (a\(3) + ab and (a\(3) — ab, 
respectively. Hence, 

tr||a)(/3| + \f3)(a\\ = \(a\0) + ab\ + \(a\0) - ab\ = 2ab , 

where the last equality holds because the Cauchy-Schwartz inequality im- 
plies \(a\(3)\ < ab. □ 

Upper bound on Li-distance in terms of fidelity 
Lemma A.2.4. Let p, p G V(H). Then 



\p ~ P\\i < V (tr(p) + tr(p')) 2 - ^F(p,p'f 
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Proof. It follows from Uhlmann's theorem (see Theor em I A . 1 . 2 1 and remark 
thereafter) that there exist purifications \ip){ip\ and |0/)(?//| of p and p' , re- 
spectively, suchthat (tp\ip') is nonnegative and F(p, p') = F(\ip){ip\, \tp' ) (tp' \) . 
Using Lemma lA.2.31 a simple calculation leads to 



Since <</#> = tr(|V)(Vl) = tr(p), (W> = tr(p'), and F(|V><V|, IVWI) = 
{il)\ip'), this identity can be rewritten as 

- W)W\\\ = ^{tT{ P )+tY{p')f -AF{p^f . 

The assertion then follows from the fact that the Li-distance can only de- 
crease when taking the partial trace (cf. Lemma lA,2.1|) , □ 

Upper bound on Li-distance in terms of vector distance 

The following lemma is a generalization of one direction of Lemma IA.2.31 to 
mixed states. 

Lemma A.2.5. Let p,p' £ V(7í) and let |0)(0| and \ip'){ip'\ be purifications 
of p and p' , respectively. Then 



\\p - p\\i < (7h^) + yMprj) ■ \\m - ■ 

Proof. Let v G [0, 2tt] such that e lv {ip\ip') is nonnegative and define := 
e %v \ijj'). Then, from Lemma lA, 2. 31 

< lll^-l^il-dll^ll + 111^)11) 

where the inequality follows from the triangle inequality for the norm || • || 
and |||0')|| = ||IV' / )||· Moreover, since (ipl^') is nonnegative, it cannot be 
smaller than the real value of the scalar product {ïjj\ip'), that is, ^((ip\ip')) = 
b')\ >5ft((V#')), and thus 



|||0) - = yW> + <W0 " 2&(<^'>) 

< v<v#) + <w)-2ïí((v# , >) 
= \\m . 

Combining this with (|A.3|) gives 

||IV>M-I^'WI|| = ||hWI-l?X?l|| 

< (\\\ï>)\\ + II IV) II) -IN- IVOII • 

The assertion follows from the fact that the Li-distance cannot increase 
when taking the partial trace (cf. Lemma |A.2.1|) . □ 
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Lower bound on Li-distance in terms of fidelity 

The following statement is the converse of Lemma IA.2.41 

Lemma A.2.6. Let p,p' £ V(H). Then 

tr{p)+tT{p')-2F{p, P ') < Wp-p'Wi . 

The proof is a direct generalization of an argument given in |NC0fl| (see 
formula (9.109) of jJNCOOp . 

Proof. According to Lemma |A.1.41 there exists a POVM Ai = {M z } ze z 
such that 

F(p,p') = F(P z ,P' z ) , 

for P z and P' z defined by P z (z) = tr(pM z ) and P' z {z) = tr(p'M z ). Using 
the abbreviation p z := Pz(z) and p' z := P z i, we observe that 

.2 



z&z zez (A.4) 

= ti(p)+ti(p')-2F(p,p') . 

Moreover, because | ^fp~ z — \/p z ~\ < \fp~ z + \f¥zi 

,2 



ze.z ze.z 

zGZ 

< IIp-p'IIi , 

where the last inequality follows from the fact that the trace distance cannot 
increase when applying a POVM (cf. Lemma |A.2.1|) . The assertion then 
follows by combining this with (|A.4|) . □ 



Lower bound on Li-distance in terms of vector distance 

The following statement can be seen as the converse of Lemma |A. 2. 51 

Lemma A.2.7. Let p,p' £ ViTL) and let \ip){ip\ be a purification of p. Then 
there exists a purification of p' such that 



\\H)-W)\\<^/\\p-p'\\i ■ 

Proof. Uhlmann's theorem (see Theorem IA.1.21 and remark thereafter) im- 
plies that there exists a purification of p' such that F(p, p') = (ip\ijj'}. 

Hence, 



Hv) - = vw) + <W> - W) - WW) 



= y / tr(p)+tr(p')-2F(p,p') . 
The assertion then follows from Lemma lA, 2. 61 □ 
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Li-distance and trace 

A slightly different variant of the following statement is known as the Gentle 
Measurement Lemma Win99 . 

Lemma A.2.8. Let p,p G V(7í) such that p = PpP for some projector P 
on Tí. Then, 



Proof. We first show that the assertion holds if p is normalized (i.e., tr(p) = 
1) and pure, that is, p = \4>}{4>\ for some normalized vector \<p). Since 
P is a projector, the vector \(j>) can be written as a weighted sum of two 
orthonormal vectors \a) and |ò), \<f>) = a\a) + f3\b), for a, (3 > 0, such that 
P\a) = \a) and P\b) = 0. In particular, p = a 2 \a)(a\. A straightforward 
calculation then shows that 



which concludes the proof for normalized pure states p. 

To show that the assertion holds for general operators p G V(7i), let p = 
Ylxex Px\x)(x\ be a spectral decomposition of p. In particular, ^2 X&X p x = 
tr(p). Define p x := and p x := Pp x P. By linearity, we have 



Hence, using the triangle inequality and the fact that the assertion holds for 
the normalized pure states p x , we find 




P ~ = \( a \ a ) + P\b)){c({a\ + (3(b\) — a 2 \a)(a 



i 



< 2/3 = 2 Vi - tr(p) 




x ^x 



P ~ p\\i < ^pAPcc - Px\\i < 2 y^p x \/l - tv(p x ) . 




Moreover, with Jensen's inequality we find 



^2p x ^l -tT(p x ) = tr(p) —rrV 1 - tlc (px) 




which concludes the proof. 



□ 



Appendix B 

Various Technical Results 



B.l Combinatòries 

For proofs of the following statements, we refer to the Standard literature 
on combinatòries. 

Lemma B.l.l. The set of types with denominator n on a set X has 

cardinality 

ie*l = (" +w - r 

\ n 

Lemma B.1.2. Let Q E be a type with denominator n on a set X. 
Then the type class Kn has cardinality 



|A«| 



ni 



Lemma B.l. 3. A set of cardinality n has at most 2 n/l ( r / n ) subsets of car- 
dinality r. 

Proof. A set of cardinality n has exactly ( n ) subsets of cardinality r. The 
assertion thus follows from the inequality 1 (™) < c 2 ixhí \ r l n ) . □ 



B.2 BirkhofF's Theorem 

Definition B.2.1. A matrix {a X) y) x ^x,y^y is bistochastic if a XiV > 0, for 
any x G X, y G y, and J2 ye y a *,y = T,xeX a ^,y = 1 · 

It is easy to see that a matrix {a x ,y) x ex,yçy can om Y De bistochastic if 
1^1 = \y\. The following theorem due to Birkhoff Bir46 states that any 
bistochastic matrix can be written as a mixture of permutation matrices. 
(See, e.g., |H.T85j for a proof.) 

^ee, e.g., |CT91| . Formula (12.40). 
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Theorem B.2.2 (Birkhoff's theorem). Let (a x y)xex yey be a bistochas- 
tic matrix. Then there exíst nonnegative coeficients [i^, parameterized by 
the bijections tt from y to X , such that Y2 n = 1 and, for any x € X , 

u - y, 2 

TV 

It follows immediately from Birkhoff's theorem that any sum of the form 

S = ^ a x,yS x 



can be rewritten as 



x,y tt 7r y 



B.3 Typical sequences 

Let x be an n-tuple chosen according to an n-fold product distribution 
(Px) n - Then, with probability almost one, x is a typical sequence, i.e., its 
frequency distribution À x is close to the distribution Px- 

Theorem B.3.1. Let Px be a probability distribution on X and let x be 

chosen according to the n-fold product distribution {Px) n ■ Then, for any 
ó > 0, 

Pr[D(\ x \\P x )>6]<2-"( s -\ x \ 1 - SS ^ï . 

X L J 

Proof See Theorem 12.2.1 of |CT91j . □ 

Theorem IB . 3 . 1 1 a uant ifies the distance between A x and Px with respect 
to the relative entropy. To obtain a statement in terms of the Li-distance, 
we need the following lemma. 

Lemma B.3. 2. Let P and Q be probability dístributíons. Then 



\\P-Qh < y/2(hi2)D(P\\Q) . 
Proof. See Lemma 12.6.1 of |CT91| . □ 

Corollary B.3. 3. Let Px be a probability distribution on X and let x be 

chosen according to the n-fold product distribution {Px) n ■ Then, for any 
ó > 0, 

Pr[||A x - Pxh > *] < 2-^-W^) . 

Proof. The assertion follows directly from Theorem IB.3.11 combined with 
Lemma lB~3~2l □ 



2 5x,tt( v ) denotes the Kronecker symbol which equals one if x — ir(y) and zero otherwise. 
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B.4 Product spaces 



Lemma B.4.1. Let p A B G V{Ha <8> H B )- Then 

supp(pab) Q supp(pa) ® supp(/9 B ) . 



Proof. Assume first that pab is pure, i.e., pab = |^ r )(^ r |· Let \^) = 
J2zez a z\$ z ) ® IV" 2 ) be a Schmidt decomposition of |^), i.e., {\4> z )} z ez and 
{\tp z )} Z £Z are famílies of orthonormal vectors in TÍa and TÍb, respectively. 
Then 

supp(pab) = {|*>} Ç span{|0 z )} z62 ® span{|^)}^2 . 

Because span{|çi> 2 )} 2e 2 = supp(pA) and span{|V> z )},ze.z = supp(p^) the 
assertion follows. 

To show that the statement also holds for mixed states, let pab = 
Ylxex Pab be a decomposition of pab into pure states p\bi for x £ X. 
Then, because the lemma holds for the states p\bi 

supp(pab) = span (J supp(^ B ) 



Lemma B.4. 2. Let pab-, PAB G 'PiTÍA ® TÍb) such that supp(pAs) Ç 
supp(pab)- r/ien supp(pA) Ç suppO^)- 

Proof. Assume first that pab is pure, i.e., pab = |^ r )(^ r |· Let \^) = 
Ylzez a z\4> z ) ® \Í> Z ) be a Schmidt decomposition of |^), i.e., {\4> Z )} Z £Z and 
{\ijj z }} Z £Z are families of orthonormal vectors in Ha and TÍb, respectively. 
Then supp(pab) = {l^)}- Moreover, by Lemma TB.4. 11 



i.e., |\&) G supp(pyi) (8> supp(pb)- This implies G supp(pyi), for any 

z £ Z, and thus span{\(p z )} ze z Ç supp(pyi). The assertion then follows 
because span{|^ 2 )} 2g 2 = supp(pA)- 

To show that the statement holds for mixed states, let pab = J2 x ex Pab 
be a decomposition of pab into pure states Pabi for x £ X . We then have 
supp(p AB ) Ç supp(pAs)) for any if^, and thus, because the lemma holds 
for pure states, supp(p^) Ç supp(pA)- Consequently, 



Ç span [J supp(pa) <8> supp(p|) 




□ 



supp(pAs) Ç supp(^s) Ç supp^) (8) supp(p B ) 



supp(p j4 ) = span (J supp(/9^) Ç suppO^) • 



□ 
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B.5 Nonnegative operators 

Lemma B.5.1. Let p G V(7í) and let S be a hermitían operator on Tí. 
Then SpS is nonnegative. 

Proof. Let p = Ylxex Px\x)(x\ be a spectral decomposition of p. Then, for 
any vector \6) G H, 

(0\S P S\0) = 52p x (0\S\x)(x\S\0) = ^2 Px \(0\S\x)\ 2 > . 

xex xex 

The assertion then follows because SpS is hermitian. □ 
Lemma B.5. 2. Let p,a G V{H). Then tr(pa) > 0. 

Proof. The assertion is an immediate consequence of the fact that tr (pa) = 
tr (a 1/2 pa 1/2 ) and Lemma iRÏÏll □ 

Lemma B.5. 3. Let p,a G Vi^rt) such that a is invertible. Then the operator 
X ■ a — p is nonnegative if and only if 

Amax^V" 172 ) < A . 

Proof. With D := À • id - a^^pa' 1 / 2 , we have X ■ a - p = a 1 / 2 Da 1 / 2 . 
Because of Lemma IB. 5, 11 this operator is nonnegative if and only if D is 
nonnegative, which is equivalent to say that all eigenvalues of a-V 2 pa-V 2 
are upper bounded by À. □ 

Lemma B.5. 4. Let p,a G V{Ti) such that À • a — p is nonnegative and a is 
invertible. Then 

Atnax^V-y/ 2 ) < A . 

Proof. Assume without loss of generality that p is invertible (otherwise, 
the statement follows by continuity). Because the operator À • a — p is 
nonnegative, the same holds for p _1 / 2 (À • a — p)p~ 1 / 2 = X ■ p~ 1 / 2 ap~ 1 / 2 — id 
(cf. Lemma IB.5.1JI . Hence, all eigenvalues of p~ 1 ^ 2 ap~ 1 ^ 2 are at least A~ 1 . 
Consequently, the eigenvalues of the inverse p l ' 2 a~ l p 1 ' 2 cannot be larger 
than A. □ 



B.6 Properties of the function r t 

The class of functions rt : z i— ► z t — t ln z — 1, for t G R, is used in Section 13.31 
for the proof of a Chernoff style bound. In the following, we list some of its 
properties. 

Lemma B.6.1. For any t G R, the function rt is monotonically increasíng 
on the interval [l,oo). 
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Proof. The first derivative of vt is given by 

±r t {z)=tz t - 1 -í = V-l)- 

z z 

The assertion follows because the term on the right hand side is nonnegative 
for any z G [l,oo). □ 

Lemma B.6.2. For any t G R and z G (0, oo), 

r t (z) < r| t| (« + -) • 

Proof. Observe first that rt(z) = r_ t(-). It thus suffices to show that the 
statement holds for í > 0. If 2 > 1, the assertion follows directly from 
Lemma lB.6.11 For the case where t > and z < 1, let v := — thxz. Then 
rt(-) = e v — v — 1 and rt(z) = e~ v + v — 1. Because u > 0, we have 
— e - '' > 2v, which implies rj(z) < J"t(l). The assertion then follows again 
from Lemma lB.6. II □ 

Lemma B.6.3. For any t G [— i, i], í/te function rt is concave on the 
interval [4, oo] . 

Proof. We show that ^ r t( z ) < for any z > 4. Because -^rt(z) = 
t(t — l)z <_2 + -Ít) this is equivalent to í(l — t)z t > i. It thus suffices to verify 
that 

z > 



1-t 



for any z > 4. Using some simple analysis, it is easy to see that the term on 
the right hand side is monotonically increasing in t on the interval [— 5, 5] 
and thus takes its maximum at t = h, in which case it equals 4. □ 

Lemma B.6.4. For any z G [1, 00) and t G [— \^]> 

r t (z) < (l - ln2)(logz) 2 í 2 . 
Proof. Let u := ílnz. Then 

r t (z) _ e fln2 -ílnz-l _ e v -v-l 2 

We first show that the term on the right hand side of (jB.ll) is monotonically 
increasing in v, that is, 

d e v -v-l e v - 1 e u - u - 1 

> . 



dv v 2 v 2 v 3 

A simple calculation shows that this inequality can be rewritten as 

2 e "/2 _ e -iV2 

- w e í;/2 + e -t)/2 ' 
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which holds because, for any ugl 

e v/2 _ e -v/2 



f>v/2 _|_ g—v/2 



tanh ■ 



< 



Hence, in order to find an upper bound on IjB.ljl . it is suficient to evalu- 
ate the right hand side of ()B.1|) for the maximum value of v. By assumption, 
we have v < ln2, i.e., 



1 



(ln^) 2 < (1 - ln2)(logz) 



which concludes the proof. 



□ 



Appendix C 



Computationally Efficient 
Information Reconciliation 

In Section f(i.31 we have proposed a general one-way information reconcilia- 
tion scheme which is optimal with respect to its information leakage. The 
scheme, however, requires the receiver of the error-correcting information to 
perform some decoding operation for which no efficient algorithm is known. 
In the following, we propose an alternative information reconciliation scheme 
based on error-correcting codes where all computations can be done effi- 
ciently. 

Cl Preliminaries 

To describe and analyze the protocol, we need some terminology and bàsic 
results from the theory of channel coding. Let í be a discrete memoryless 
channel which takes inputs from a set U and gives outputs from a set V. 1 
An encoding scheme for £ is a family of pairs (C n ,dec„) parameterized by 
n G N where C n is a code on U of length n, i.e., a set of n-tuples u G U n , 
called codewords, and dec n is a decoding functíon, i.e., a mapping from V n 
to C n . The rate of the code C n is defined by rate(C n ) := ^ log \C n \. Moreover, 
the maximum error probability of (C n ,dec n ) is defined by 

(C n ,dec ra ) := maxPr[u 7^ dec(v)] , 
uec n V 

where, for any u = (u±, . . . ,u n ) G C n , the probability is over all outputs 
v = (yx, . . . , v n ) of n parallel invocations of £ on input u. 

We will use the following fundamental theorem for channel coding (cf., 
e.g., |CTm| . Section 8.7). 

A discrete memoryless channel £ from U to V is defined by the conditional probability 
distributions P v \ u=u on V, for any u £ W. 
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Proposition C.l.l. Let <£ be a díscrete memoryless channel from U to V 
and let 5 > 0. Then there exísts an encoding scheme {(C n , dec n )} ne N f or <£ 
such that the following holds: 

• rate(C n ) > max Ptf H(U) - H(U\V) - 5, for any n G N. (The en- 
tropies in the maximum are computed for the distribution Pjjv °f an 
input/output pair (u,v) of <£, where u is chosen according to Pu-) 

C.2 Information reconciliation based on codes 

Let us now consider an information reconciliation protocol based on chan- 
nel coding. For this, we assume that Alice's and Bob's inputs are strings 
x = (x%, . . . ,x n ) and y = (y\, . . . ,y n ), respectively. Our protocol shall be 
secure if the inputs x, y are distributed according to a product distribution 

P xnyn = (p XY y. 

Let £ be the channel which maps any u £ X to v := (x © u, y), where 
the pair (x, y) is chosen according to the probability distribution Pxy and 
where © is a group operation on X. For any n G N, let IRc n ,dec n be the 
information reconciliation protocol specified by Fig. IC.ll where C n is the 
code and dec n the decoding function defined by Proposition IC.l.ll 

It is easy to see that x = x holds whenever dec n decodes to the correct 
value u. — u. Hence, the information reconciliation protocol IRc n dec n is 
£ n -secure, for £ n := £ ma x 

(C n ,dec n ). Because, by Proposition IC1.Ï| the 
maximum error probability e max (C n , dec n ) of (C n ,dec n ) goes to zero, for n 
approaching infinity, the protocol IRc n ,dec n is asymptotically secure. 
Moreover, by Proposition IC, 1 .11 

rate(C n ) > maxH(U) - H(U\X ®U,Y)-6 . 
Pu 

Using the fact that the input u is chosen independently of the randomness of 
the channel (x,y), a simple information-theoretic computation shows that 
the entropy difference in the maximum can be rewritten as H(X U\Y) — 
H(X\Y). Hence, because m&x Pu H(X © U\Y) = H max (Pu) = logl^l, we 
find 

-loglCI =rate(C n ) > logl^l - H(X\Y) - 5 . (Cl) 
n 

The communication c of the protocol is contained in the set X n . Further- 
more, because u is chosen uniformly at random from C n , the distribution 
P C |^n =x of the communication c, conditioned on any input x G X n , is 
uniform over a set of size \C n \. The leakage of IRc n ,dec n is thus given by 

leak lRc„,doc„ = lo § \ xn \ ~ miniï" min (P C | X n =x ) = nlog \X\ - log \C n \ . 
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Fig. Cl Information reconciliation protocol IRc n ,dec n - 

Parameters: 
C n : set of codewords from X n 
dec n : decoding function from X n x y n to C n 
©: group operation on X (with inverse ©). 



Alice Bob 

input: x G X n input: y G y n 

u £r C n 

c:=x©u ü := dec n (c, y) 

if decoding not suec. 
then abort 

output x:=c0ú 



Combining this with (jC.lJ) we conclude 

\^Rc n ^ n <H{X\Y) + 5 . 

Because Proposition K ] . 1 ,T1 also holds for efficient 2 encoding schemes (see, 
e.g., |Dum 98 _). Corollarv 16,3.51 is asymptotically still true if we restrict to 
computationally efficient protocols (see also |HR05| ) . More precisely, this 
result can be formulated as follows. 

Proposition C.2.1. Let Pxy £ V{X x y) be a probabílíty distríbution and 
let 5 > 0. Then there exists a family of computationally efficient information 
reconciliation protocols IRc„,dec„ (parameterized by n G N) which are e n - 
fully secure, e n -robust on the product distríbution {Pxy) u , an d have leakage 
^leak|R Cn decn < H(X\Y) + 5, for any n G N, where lim„_oo£n = 0. 



2 An encoding scheme {(C„, dec„)}„gFí is said to be efficient if there exist polynomial- 
time algorithms (in n) for sampling a codeword from the set d and for evaluating the 
decoding function dec n . 



Appendix D 

Notation 



General 



log 


binary logarithm 


ln 


natural logarithm 




Kronecker symbol: 5 x ^ y € {0, 1}, 5 x ^ y = 1 iff x = y 


C 


complex conjugate of c 


»(c) 


real value of c 


v\x) 


set of nonnegative functions on the set X 




set of permutations on the set {1, . . . , n} 


E* [/(*)] 


expectation of f(x) over random choices of x 


supp(/) 


support of the function / 


[a,b] 


set of real numbers r such that a < r < b 


[a,b) 


set of real numbers r such that a < r < b 


Prequency distributions and types 


A x 


frequency distribution of the n-tuple x 


Q X 


set of types with denominator n on the set X 


A Q 


type class of the type Q with denominator n 


Vectors 


span V 


space spanned by the set of vectors V 


<</#> 


scalar product of the vectors \(j>) and \ip) 


1110)11 


norm of the vector \<p) 


\4>)(4>\ 


projector onto the vector \cp) 


Si{H) 


set of normalized vectors on Ti 
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Operators 


P(H) 


set of nonnegative operators on 7í 


1C1 


identity 


tr(5) 


trace of the hermitian operator S 


supp(S') 


support of the hermitian operator S 


rank(S') 


rank of the hermitian operator S 




maximum eigenvalue of the hermitian operator S 


\\S\\i 


trace norm of the hermitian operator S 


Distance measures for operators 


\\p- p'h 


Li-distance between p and p' 


F(p, P ') 


fidelity between p and p'. 


d(p AB \B) 


Li-distance from uniform of pab given B 


(12{pab\(Tb) 


L2-distance from uniform of pab relative to ob 


Entropies 


H(Px) 


Shannon entropy of the probability distribution Px 


h(p) 


binary Shannon entropy with bias p 


H(pa) 


von Neumann entropy of the density operator p A 


H(A\B) 


conditional entropy H(pab) — H(pb) 


D(p\\a) 


relative entropy of p to a 


Hmin(PAB\o'B) 


min-entropy of pab relative to ub 


Hma,x(pAB\&B) 


max-entropy of pab relative to ob 


H L·ii(PAbWb) 


e-smooth min-entropy of pab relative to ob 


HL·ÀPab^b) 


e-smooth max-entropy of pab relative to ob 


HLn(PAB\B) 


e-smooth min-entropy of pab given 7íb 


H La,x(PAB\B) 


e-smooth max-entropy of pab given TL B 




abbreviation for ^(píb ^) 


H £ m& M\B) 


abbreviation for H^ x (pab\B) 


H 2 (pab\^b) 


collision entropy of pab relative to ff^ 


Symmetric spaces 


Sym(H m ) 


Symmetric subspace of ?í® ra 


Sym(H® n ,\0}® m 


) Symmetric subspace of H® n along \9)® m 
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